The API should only allow access from your site by default. Or at least IF there is a referrer header then it must much your site. Of course it is easy for a hacker to add a false referrer header but there aren't many times when any API call is ok for unauthenticated users but is a security concern for hackers. If you have such a scenario then perhaps look to hack the AntiForgeryToken functionality to quickly confirm that the user is on your site:
How to secure an API
I want to provide an API for a few other pages to pull and push data.
Of course access should only be allowed for my own websites.
How would you implement this?
The API should only allow access from your site by default. Or at least IF there is a referrer header then it must much your site. Of course it is easy for a hacker to add a false referrer header but there aren't many times when any API call is ok for unauthenticated users but is a security concern for hackers. If you have such a scenario then perhaps look to hack the AntiForgeryToken functionality to quickly confirm that the user is on your site:
See http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-csrf-attacks under the heading Anti-CSRF and AJAX
Hi David,
thanks for your reply.
The API-Calls will come from diffrent domains (on diffrent servers). Otherwise I would just overwrite the UmbracoAutheticatedApiController.
The best case would be if the other website is authenticated as member or user (of a certain group).
Is there a way to accomplish that?
Thanks :)
If it's over HTTPS you could just supply a user and password as server headers. Alternatively you'll have to implement OAuth or something like that.
I think I mean request headers
is working on a reply...