保护ASP.NET Web API的最佳方法是什么？ [英] What is the best way to secure ASP.NET Web API?

问题描述

您好，



您能告诉我什么是保护Web API调用的最佳方法。



您可能已经知道，如果我们不保护URL，则URL足以调用并从Web API获取数据。我们是一个内部网应用程序，但我们只想从应用程序限制对web api的访问，而不是从浏览器中访问url。



谢谢。

Hello,

Could you please let me know what is the best way to secure the Web API calls.

As you might already know, URL is enough to call and get the data from the Web API if we don't secure it. Ours is a intranet application, but we would like to restrict the access to web api only from the application, not by hitting url from the browser.

Thank you.

推荐答案

对于Intranet Web应用程序，您可以在App配置中设置私钥。

对于首次登录您的应用程序的每个用户，通过HTTP发送他的凭证并获得一个唯一标识符（令牌），将在每个用户进一步使用在标头中调用HTTP Web API。在服务器端，您可以使用私钥解密令牌。



这可能对您有所帮助

http://programmers.stackexchange.com/questions/196421/what-are -the-best-practices-to-secure-a-web-api [ ^ ]



谢谢

Hi,
For a Intranet Web App , you can Set a private key in your App config.
For every user who first login into your App sends his credential over HTTP and get a unique identifier (Token) which will be used further on every call to HTTP Web API in header. On the Server side, you can decrypt the token using the private key.

This might help you
http://programmers.stackexchange.com/questions/196421/what-are-the-best-practices-to-secure-a-web-api[^]

Thanks

您需要在授权标题中发送每个请求的令牌。

尝试 this out [ ^ ]。

You need to send your token with each request in the Authorization Header.
Try this out[^].

Web API实际上可以通过HTTP protoco访问l，它没有说明它是由Web浏览器还是应用程序访问。 Web API总是会响应来自HTTP的请求，Web浏览器会通过HTTP发送请求，这就是Web API始终可以从Web浏览器访问的原因，而在应用程序的情况下，您必须使用库。



现在，保护它们的概念（已经在你的问题的评论中已经说明）完全取决于你想如何保护它们应用。可能有很多方法可以做到这一点（接受一些请求而不接受其他请求），但最简单的方法是将一个QueryString添加到URL以触发Web API，否则，发送503（服务不可用; 到网络浏览器）。例如，您可以考虑接受URL，例如，

Web API is actually accessible through HTTP protocol, it doesn't say whether it is accessed by a web browser or an application. Web API would always respond to requests coming on HTTP, web browsers do send the requests through HTTP, that is why Web API is always accessible from a web browser whereas in case of an application you have to use libraries.

Now, the concept of securing them (as already stated in the comment to your question) depends entirely on how you want to secure the application. There may be many ways to do this (to accept a few requests and not accept the others), but simplest would be to add a QueryString to the URL to trigger the Web API, otherwise, send a 503 (Service Unavailable; to the web browser). For example you may consider accepting the URLs like,

http://www.yourwebsite.com/api/controller?from_app=true

但这仍然不能保护您的网站，因为任何人都可以在URL中写下这就是您应该考虑创建和为您的用户或应用程序使用令牌。像 GUID [ ^ ]普通用户无法猜到，但您的应用程序知道它。

But that still doesn't secure your website, because anyone can write that in the URL that is why you should consider creating and using a token for your users or applications. A token like GUID[^] that cannot be guessed by an ordinary user but your application knows it.

这篇关于保护ASP.NET Web API的最佳方法是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！