Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • NDDT 68 posts 240 karma points c-trib
    Jul 16, 2016 @ 00:47
    NDDT
    0

    I want to provide an API for a few other pages to pull and push data.

    Of course access should only be allowed for my own websites.

    How would you implement this?

  • David Peck 687 posts 1863 karma points c-trib
    Jul 18, 2016 @ 09:41
    David Peck
    0

    The API should only allow access from your site by default. Or at least IF there is a referrer header then it must much your site. Of course it is easy for a hacker to add a false referrer header but there aren't many times when any API call is ok for unauthenticated users but is a security concern for hackers. If you have such a scenario then perhaps look to hack the AntiForgeryToken functionality to quickly confirm that the user is on your site:

    See http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-csrf-attacks under the heading Anti-CSRF and AJAX

  • NDDT 68 posts 240 karma points c-trib
    Jul 18, 2016 @ 22:21
    NDDT
    0

    Hi David,

    thanks for your reply.

    The API-Calls will come from diffrent domains (on diffrent servers). Otherwise I would just overwrite the UmbracoAutheticatedApiController.

    The best case would be if the other website is authenticated as member or user (of a certain group).

    Is there a way to accomplish that?

    Thanks :)

  • David Peck 687 posts 1863 karma points c-trib
    Jul 21, 2016 @ 08:51
    David Peck
    0

    If it's over HTTPS you could just supply a user and password as server headers. Alternatively you'll have to implement OAuth or something like that.

  • David Peck 687 posts 1863 karma points c-trib
    Jul 21, 2016 @ 09:15
    David Peck
    0

    I think I mean request headers

Please Sign in or register to post replies

Write your reply to:

Draft