Securing Web API (CORS enabled) using token id, referrer url and ip address in Cross-Origin Requests

Views: 1072
Comments: 2
Like/Unlike: 0
Posted On: 18-Oct-2015 09:06 

Share:   fb twitter linkedin
Rahul M...
Moderator
48 Points
14 Posts

Introduction

If you developing Web API for third party vendor then you need to enable CORS feature of the Web API. In this scenario, we
need to prevent or secure the API from unauthorized user or Cross-Site Request Forgery attacks. We can Secure Web API (CORS
enabled) using token id, referrer url and ip address in Cross-Origin Requests. This article will describe how we can secure
Web API using token id, referrer url and ip address.

Requirement

Visual studio 2013, Web API 2.0

Used keyword details

tokenid: is a 15 to 20 digit auto generated code provided by third party vendor to the client for access the api.
ip address: is a ip address of the client that uses the api (for desktop based client).
referrer url: is a url of the page where the client uses the api on then web page (for web based client)

How to enable CORS in Web API

You can enable CORS in Web API in following steps:
I) add the CORS NuGet package=> In Visual Studio, from the Tools menu, select Library Package Manager, then select Package Manager Console. In the Package Manager Console window, type the following command: Install-Package Microsoft.AspNet.WebApi.Cors (This command will install the latest package and updates all dependencies, including the core Web API libraries. The CORS package requires Web API 2.0 or later.)
II) open the file App_Start/WebApiConfig.cs. Add the following code to the WebApiConfig.Register method.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web.Http;
namespace MvcApplication4
{
public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
config.EnableCors();
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
}
}

III) add the [EnableCors] attribute to the Controller class:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Web.Http;
using System.Web.Http.Cors;
namespace MvcApplication4.Controllers
{
[EnableCors(origins: "*", headers: "*", methods: "*")]
public class Default1Controller : ApiController
{
 
// Controller method
}


How to Validate token id, ip address and referrer url

You can validate tokenid and ip address and referrer url in action of api controller as

public HttpResponseMessage ValidateAPIUser(string tokenid)
string msg=""; 
string IPAddress = System.Web.HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"]; 
string ReferrerURL=""; 
if (Request.Headers.Referrer != null) {ReferrerURL = Request.Headers.Referrer.AbsoluteUri; } 
if (ReferrerURL == "")
// means api client is access from desktop 
if (validateIPAddress(validateIPAddress))
//Validate the ip address of the client
msg ="Valid user";
else
{
msg ="ip address not valid";
}
else
if (IsValidReferre(ReferrerURL))
{
msg ="Valid user";
else
{
msg ="You are not valid client";
}
return Request.CreateResponse(HttpStatusCode.OK, new {message=msg });
}

 Conclusion

 In this article we uses token id, ip address and referrer url for securing the Web API. Hopefully, this article will help you do that.

2 Comments

Smith
I found something good. It's realy helpful...

Rohit
It is useful for me.Now I secure my web API from theft...
  
banner

Blog

Active User (2)

 Log In to Chat