1

How do I prevent that public endpoints can be used out of the context of web app?

I have a web application developed in ReactJS and it consumes a public API developed in C# with Net Core 2.0. Some endpoints are public, it means that these endpoints not use some kind of authentication nor authorization method. So, how I can protect those public endpoints in order to prevent to use them out of the context of my web app, e.g., not consuming the endpoints with Postman for example and prevent to be attacked by a bot.

The Cors are enabled to: origins -> "", headers -> "" and methods -> "*". The app can be used from any part of the world.

A partner told me a crazy idea, when the public endpoint is consumed, not matter how or what, from the endpoint redirect to a web page with a captcha and the endpoint waits until the captcha will be successfully and then it will continue with the transaction.

Improve this question
3
  • What are some examples, and why don't they require authentication or authorization? Generally an API requires that for everything except possibly a get-version call that just returns the highest (or min and max) versions supported. Commented Jun 26, 2019 at 23:46
  • Note that anything related to CORS is more like a speed-limit sign and only intended to protect legitimate users by using browser safeguards: it does nothing to limit non-compliant clients. The same goes for HSTS headers and most protections from XSS. Also, there's irony in suggesting that an endpoint with no authentication or authorization uses CAPTCHA, since that's exactly verifying that a user is authorized by virtue of being human. Commented Jun 27, 2019 at 1:58
  • IdentityServer4. You don't have to implement end user authentication for the client to authenticate with the api and to protect the api. CORS only protects from browsers. IP / Firewall work if the client app is not a JS client / public client Commented Aug 4, 2019 at 5:52

1 Answer 1

Reset to default
4

If a public API does not use any authentication and authorization, you are unable to control its usage (apart from firewall-like features like IP ranges).

A Captcha redirect will not really help you: You lose the possibility to seamlessly use the API in your application: With a simple click on "developer tools" in a browser, everybody is able to call it in a byte-for-byte identical way as when used from your app.

Most likely the easiest solution is to create some sort of auth&auth: Chasing a solution for the unsolvable problem of securing something that is by definition not secured will cost you much ore time, headaches and security holes than just doing it right.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.