保护匿名Web API请求的方法 [英] Ways to secure an anonymous Web API request

问题描述

我有一个 ASP.NET MVC (不是ASP.NET Core)单页应用程序，其前端具有角度js .

I have a ASP.NET MVC (NOT ASP.NET Core) single page application with angular js on the front end.

我的客户端(浏览器)通过ASP.NET Web API与服务器对话.现在，Web应用程序位于 https 上，但匿名上.没有登录/用户身份验证.

My client (browser) talks to server through ASP.NET Web APIs. Now, the web application is on https but anonymous. There is no login/ user authentication.

该Web应用采用向导的形式，用户可以在其中来回移动并添加或更新Web页面上的输入字段.然后通过Web API在服务器上更新表单输入值.

The web app is in the form of a wizard where user can go back and forth and add or update input fields on the web page. The form input values are then updated on the server through Web API.

我正在寻找一种方法来单独 安全 我的Web API调用，尤其是POST/PUT请求.总之，我想防止任何用户直接从POSTMAN或Fiddler调用我的Web API. Web API尽管只能匿名，但只能从发出请求的浏览器会话中调用.

I'm looking for a way to secure my Web API calls alone, especially the POST/ PUT requests. In summary, I want to prevent any user calling my Web API directly from POSTMAN or Fiddler. The Web API, though anonymous can be only called from the browser session where the request originated.

• 要实现此目的，我有什么选择?

• What are options do I have to achieve this?

我可以在这里使用防伪令牌(不进行身份验证)吗?

Can I use Anti-Forgery token here (without authentication)?

我可以想到的一种实现方式是向每个请求添加自定义标头，并将某种会话密钥存储在标头中.然后，在我从客户端收到的每个请求上验证自定义标头.在没有定制解决方案的情况下，还有其他方法可以实现此现成的或某些经过验证的库吗?

One way, I can think of achieving this is to add a custom header to each request and store some kind of session key in the header. Then, validate the custom header on every request I received from client. Are any other ways of achieving this out-of-box or some proven library without going for custom solution?

如果我必须采用上述定制解决方案，我需要注意哪些陷阱或潜在问题?

If I have to go for the above custom solution, what are the pitfalls or potential issues I need to be aware of?

推荐答案

首先，当您删除登录名并且应用程序中没有身份验证机制时，实际上就没有办法保护，因为任何人可以访问您的API.我认为您要确保仅从您自己的网站调用您的API.不幸的是，由于您的Web API是http/https，因此您无法完全实现这一目标，并且任何地方的任何人(例如邮递员，提琴手...)都可以创建http请求并调用您的API.

First of all when you remove login and there's no authentication mechanism in your application, there's really no way to secure anything, because anyone can access your APIs. I think what you want is to make sure that your APIs are called only from your own website. Unfortunately you can't completely achieve that, since your web APIs are http/https, and anyone, from anywhere (like postman, fiddler, ...) can create a http request and call your API.

您所能做的就是使您的API更加难以响应请求，例如您提到的使用防伪".

All you can do is to make it harder for your API to response to requests, like using Anti-Forgery as you mentioned.

我还建议您为应用程序添加一个cookie，并在每个请求中检查该cookie，在这种情况下，使用Fiddler或Postman调用API更为复杂(并非不可能).

And also I suggest you add a cookie for your application and check that cookie in every request, in this case it's more complicated ( not impossible ) to call your API using Fiddler or Postman.

最后，我建议您使用CORS，因此浏览器将只允许您的域调用您的API.因此，没有人可以在来自不同域的浏览器中调用您的API.

And last I suggest that you use CORS, so browsers would only allow your domain to call your APIs. So nobody can call your APIs in a browser from different domain.

这篇关于保护匿名Web API请求的方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！