Securing a publicly-accessible Web API RRS feed

  • Question

  • User768014394 posted

    We're starting to redesign many of our company's websites as most of them were designed during the early days of .NET Web Forms.  My boss has been pushing for us to update our skill set and start using some newer technologies.

    What my boss is suggesting is making the front-end an AngularJS SPA with the back end being Web API.  We're starting with one of our simpler applications which is internally-accessible but in the future we'll be rewriting some of our public-facing apps in much the same way.

    Ideally we'd use this same API for all of our applications, internal and external.  Right now our applications have a front-end running on a server in the DMZ that calls a WCF service which is behind the firewall.  Our applications will have both public and private areas (which require users to be authenticated) but both will be accessing the same API.  Obviously we'll need to authorize certain actions but to start I need to know if there is any way we can restrict access to the GET methods.  For example, I don't want just anyone to be able to browse to a specific URL and get a table dump.

    Securing the Web API is of critical concern for us since we deal with very sensitive data.  I've done some research on how we might secure it but it seems most of the examples in books or on the web have the API being in the same application (e.g. web project) as where the user interface is hosted from.  Since I have a strong background in Web Forms I know that the page code runs on the server and for the most part the UI itself isn't getting raw data back and manipulating the DOM to display it.  However, with an AngularJS front-end we will be doing just this.  I don't know if this matters but I have limited ASP.NET MVC exposure since I'm making the leap from the Web Forms/WCF world I'm learning both AngularJS and Web API at the same time.

    Before we get too much further with our development work we need to start thinking our security.  Does it even make sense to have a publicly-accessible API?  I've heard a few things but I don't know which is best.  Thanks

    Thursday, May 12, 2016 4:07 PM


All replies