Restrict access to the Web API

2

I have a Web API where I restricted access to your methods through EnableCors , indicating the URL I want to give permission, as follows:

namespace WebService.Controllers
{
    [EnableCors(origins: "http://myapp.net", headers: "*", methods: "*")]
    public HttpResponseMessage GetItem(int id) { ... }
}

That way, if I try to access my controller from an application other than the url " link " the lock happens as expected.

However, when I try to access the direct api, just by pasting and accessing the url of my my api "www.minhaapi.com./GetItem/2", the blocking does not happen.

I would like to know how best to allow access to my api only from a x domain?

    
asked by anonymous 07.07.2016 / 04:42

1 answer

1

Oops. The same source policy implemented by browsers, roughly speaking, is just a way to avoid requests from one domain to another (you load a site in domain A that does an asynchronous request of some resource of a domain B).

But this protection does not stop you from accessing the feature directly through the browser.

So these changes you've made to allow cross origin (CORS) are behaving as expected.

Now, for example, if you want to block any connection that is not from an IP range, you can think of firewall rules or deny access (reject the request) according to the client's ip in the application itself. / p>     

07.07.2016 / 09:59