0

I have a .NET Web Api JSON service that is going to be called by an AngularJS website. Both the website and the web service will be hosted in the same server, but may or may not be hosted within the same IIS site. At the moment, the service is fully exposed and I can call it's method's from a browser. I would like to secure this, but I am not sure what the best option would be. Ideally, I think I would require a client certificate, but since the client is JavaScript, ie Client Side, I am not sure this would work. Any advice would be appreciated.

Improve this question

1 Answer 1

Reset to default
1

Your Cert could easily be extracted, simple to use cors with scope rules to allow access from designatted URL's only

[EnableCors(origins: "http://www.example.com", headers: "*", methods: "*")]

How to

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Would this block access when called from a browser? I had sent Access-Control-Allow-Origin, so this blocks it from other sites, but I can still call it from a browser.
The server decides to allow the request based upon the URL's you can easily mix and match and allow from one browser(url) and not from another, that is indeed its whole purpose in life to check the origin off the request and allow access to some or all controller mthods
I guess what I should mention is I don't want it to be callable from a browser. I think I have some reading to do on Cors.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.