Securing a publicly-accessible Web API

Question

User768014394 posted

We're starting to redesign many of our company's websites as most of them were designed during the early days of .NET Web Forms.  My boss has been pushing for us to update our skill set and start using some newer technologies.

What my boss is suggesting is making the front-end an AngularJS SPA with the back end being Web API.  We're starting with one of our simpler applications which is internally-accessible but in the future we'll be rewriting some of our public-facing apps in much the same way.

Ideally we'd use this same API for all of our applications, internal and external.  Right now our applications have a front-end running on a server in the DMZ that calls a WCF service which is behind the firewall.  Our applications will have both public and private areas (which require users to be authenticated) but both will be accessing the same API.  Obviously we'll need to authorize certain actions but to start I need to know if there is any way we can restrict access to the GET methods.  For example, I don't want just anyone to be able to browse to a specific URL and get a table dump.

Securing the Web API is of critical concern for us since we deal with very sensitive data.  I've done some research on how we might secure it but it seems most of the examples in books or on the web have the API being in the same application (e.g. web project) as where the user interface is hosted from.  Since I have a strong background in Web Forms I know that the page code runs on the server and for the most part the UI itself isn't getting raw data back and manipulating the DOM to display it.  However, with an AngularJS front-end we will be doing just this.  I don't know if this matters but I have limited ASP.NET MVC exposure since I'm making the leap from the Web Forms/WCF world I'm learning both AngularJS and Web API at the same time.

Before we get too much further with our development work we need to start thinking our security.  Does it even make sense to have a publicly-accessible API?  I've heard a few things but I don't know which is best.  Thanks

Answer 1

User1779161005 posted

The modern standard for this is OAuth2 (and possibly OpenID Connect, depending on what you need). IdentityServer is an open source OAuth2 and OpenID Connect platform you can use to secure your APIs and apps.

https://github.com/IdentityServer/IdentityServer3

Answer 2

User36583972 posted

Hi desertfoxaz,

I need to know if there is any way we can restrict access to the GET methods.  For example, I don't want just anyone to be able to browse to a specific URL and get a table dump.

The following tutorial introduces some options for securing a web API from unauthorized users.

http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api

Security issues for Web API you can refer, you will get more information about Web API Security .

http://www.asp.net/web-api/overview/security

Does it even make sense to have a publicly-accessible API?  

You can make your Web API’s secure. You can refer the following tutorial, It uses the public/private keys to create a token (encrypted user/IP Address ...)

Making your ASP.NET Web API’s secure:

http://codebetter.com/johnvpetersen/2012/04/02/making-your-asp-net-web-apis-secure/

Best Regards,

Yohann Lu