Web security api: SSL?

9

I would like to know if you can restrict requests to a web api specifically for a machine.

My api web will be hosted on computer A.

My client (at first only one) will be hosted on the computer B .

Different servers, different machines.

How can I filter that the web api just "responds" to the client of the computer B ?

  • Would it be SSL? How it works? Just install the certificate on the server and the client? Do I need to handle the server-side request?
  • It is very likely that in the future you will have a mobile application to query the same web api .. How to act in case of "releasing" the application requests?
  • asked by anonymous 02.09.2017 / 20:19

    3 answers

    5

    What you need to implement is authentication, mainly because you said that in the second moment you will have a mobile application.

    With the mobile app you will no longer be in control of who the app is from. If you do not have a mobile application, you might be able to do the IIS restriction since the source domain is known and unique.

    Use some of the oAuth authentication versions, version 1.0 is very simple and quick to implement.

    SSL does not help you in this scenario.

        
    08.09.2017 / 21:58
    0

    1 - SSL is the minimum you should have if you want to expose an api to a client, but that does not have much to do with your problem.

    2 - While you do not have a mobile app consuming your api, you have some ways to restrict your clients' access through IPs configuring IIS through a Firewall or even through a digital certificate to establish communication with your api.

    3 - When you have a mobile application consuming an api the scenario changes, there is no possibility of IP restriction. One of the authentication patterns used in this case is OAuth2:

    12.09.2017 / 03:04
    0
      

    I would like to know if you can restrict requests to a web api   specifically for a machine

    Response: Token per user

    My recommendation: jwtSecurityTokenHandler,

    And to have full control you need to create a AuthorizeAttribute filter for a particular user.

    [Authorize(Roles = "MaquinaA")]
    
        
    14.09.2017 / 15:29