locked
How to block postman or fiddler tool to access Web API RRS feed

  • Question

  • User-168646821 posted

    Hi, 

    I want to secure my API(.net core 2.2). I used JWT token to authorize, but I do not want to generate my token from Postman or fiddler?  JWT token should be generated only from my windows application/Mobile application? Can anyone help on this ?

    Tuesday, August 27, 2019 5:43 AM

Answers

  • User475983607 posted

    Hi, 

    I want to secure my API(.net core 2.2). I used JWT token to authorize, but I do not want to generate my token from Postman or fiddler?  JWT token should be generated only from my windows application/Mobile application? Can anyone help on this ?

    I'm not sure why this is an issue if the user credentials authenticate.  You can always check the user agent header to see if a browser is sending the request. 

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent

    Keep in mind that there is no fool proof way to accomplish this task as the web is stateless. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, August 27, 2019 10:38 AM
  • User-474980206 posted


    Can not be done. All webapi’s are open to any client that knows how to call them. Be sure to use https so network sniffers can not see the packets. You should not count on the client to perform any security checks, the server should always duplicate the checks.

    if it is a corp app, you can require a VPN to access the webapi, so the user needs access to the VPN.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, August 27, 2019 2:09 PM

All replies

  • User475983607 posted

    Hi, 

    I want to secure my API(.net core 2.2). I used JWT token to authorize, but I do not want to generate my token from Postman or fiddler?  JWT token should be generated only from my windows application/Mobile application? Can anyone help on this ?

    I'm not sure why this is an issue if the user credentials authenticate.  You can always check the user agent header to see if a browser is sending the request. 

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent

    Keep in mind that there is no fool proof way to accomplish this task as the web is stateless. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, August 27, 2019 10:38 AM
  • User-474980206 posted


    Can not be done. All webapi’s are open to any client that knows how to call them. Be sure to use https so network sniffers can not see the packets. You should not count on the client to perform any security checks, the server should always duplicate the checks.

    if it is a corp app, you can require a VPN to access the webapi, so the user needs access to the VPN.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, August 27, 2019 2:09 PM