Asp.Net MVC4阻止人们要求或发布的数据，以我的API [英] Asp.Net MVC4 stopping people requesting or posting data to my API

问题描述

我希望能够使用AJAX来GET / POST在我MVC4应用程序编程接口控制器。

I want to be able to use AJAX to Get/Post to an API controller in my MVC4 application.

不过，我不希望任何人能够设置一个网页，GET / POST到控制器 - 只有从网页从我的服务器发送

However, I don't want anyone to be able to setup a web page and get/post to the controller - only from web pages delivered from my server.

所以，我应该只是使用普通的控制器和返回数据，而不是一个API控制器？ （或者我误会了使用API​​控制器打开了W​​eb应用程序的任何GET / POST？）

So, should I just use a normal controller and return data, rather than an API controller? (or have I misunderstood that using the API controller opens up the web application to any Get/Post?)

谢谢，马克

推荐答案

这是我的问题这里 。简而言之，以确保API端点的唯一途径是让客户以某种方式进行身份验证。这可以用一个普通的ASP.NET权威性的cookie来完成，如果装饰用[授权]属性控制器/动作。您还可以使用API​​密钥或白名单的IP地址推出自己的解决方案。 请参阅此链接对于选项一箩筐。

This is a possible duplicate of my question here. In a nutshell, the only way to secure API endpoints is to have the clients authenticate somehow. This can be done with a normal ASP.NET auth cookie, if you decorate the controllers / actions with the [Authorize] attribute. You could also roll your own solution using API keys or whitelist IP addresses. See this link for a laundry list of options.

我贴我自己的问题的答案并使其成为非消费者我的web应用程序的更难以调用API端点，但正如达林指出的，它可以被规避。用户可以到Web应用程序来获取加密AnonymousID和自定义加密cookie时，这些插件将Fiddler2（或任何其他客户端），并击中了API的多，因为他们想为24-48小时。

The answer I posted to my own question does make it more difficult for non-consumers of my web app to invoke API endpoints, though as Darin points out, it can be circumvented. Users could go to the web app to obtain the encrypted AnonymousID and custom encryption cookie, plug those into Fiddler2 (or any other client), and hit the API as much as they wanted for 24-48 hours.

这篇关于Asp.Net MVC4阻止人们要求或发布的数据，以我的API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！