none
Client IP Safe List vs CORS RRS feed

  • Question

  • Developing an intranet app:  Core 3.0 WebAPI with Angular 8 front end.

    I am developing a Web API app which can be used by several Angular client apps so I want to limit the domain (or sub-domain) that can send requests to the endpoints.

    Trying to understand the difference between CORS and an IP Safelist (https://docs.microsoft.com/en-us/aspnet/core/security/ip-safelist?view=aspnetcore-3.0).

    Not really clear on how they are different or why one should be chosen over the other.

    What are the differences between the two approaches.

    Thanks,


    - Bruce

    Tuesday, October 29, 2019 3:45 PM

Answers

  • IP safe list protects you from unauthorized user computer, but CORS protects you against requests from different website, or on the same host as authorized sites but really another site.

    Say, in the example in the linked article, you have a website with "admin" subfolder that you would clearly want to be accessed by only locations where you know your "authorized users" would be, so you set up a whitelist enable access to it only from IP ranges that you know, say some internal IP ranges (intranet access indicates it comes from a computer inside your company, or computers of a company that you know should have access to), and if your website also goes public, you may want to add IP address of your support team members' home too.



    Wednesday, October 30, 2019 1:27 AM
    Answerer

All replies

  • IMO, CORS is what I have seen implemented in ASP.NET WebAPI solutions or Token based security as discussed at the WebAPI forum in ASP.NET forums, which is based on autentication.

    The IP whitelist I would be concerned about a DoS attack run against the application where no legitimate request can be processed as the WebAPI service reacts and blocks the request sent by a blocked IP, which is a firewall responsibility, like a network firewall an appliance or a configured gateway computer running a host based firewall.     

    ASP.NET forums is where you can post for help.

    http://forums.asp.net/


    • Edited by DA924x Wednesday, October 30, 2019 7:23 AM
    Tuesday, October 29, 2019 8:27 PM
  • IP safe list protects you from unauthorized user computer, but CORS protects you against requests from different website, or on the same host as authorized sites but really another site.

    Say, in the example in the linked article, you have a website with "admin" subfolder that you would clearly want to be accessed by only locations where you know your "authorized users" would be, so you set up a whitelist enable access to it only from IP ranges that you know, say some internal IP ranges (intranet access indicates it comes from a computer inside your company, or computers of a company that you know should have access to), and if your website also goes public, you may want to add IP address of your support team members' home too.



    Wednesday, October 30, 2019 1:27 AM
    Answerer