2

This might be a stupid question and/or simple answer, or neither.

I am developing an API, and I was wondering if it was possible to lock this down to a specific URL/Host?

e.g. My API is on one url, and it only responds to a httpwebrequest from a specific url. www.apione.com only responds to www.apitwo.com

Is this possible? I have been looking into the host headers but don't think it is possible to get this information.

Thanks

Improve this question

2 Answers 2

Reset to default
2

If your "API" as a web service then you can use 'Request.UrlReferrer' to get a URI object that tells you the URL the request has come from. You can then simply check that it matches one or more expected values before doing anything. This will not stop request from other URLs hitting the service but your web service would not do anything in response to these requests. You can also lock down by IP in a similar manner by using Request.UserHostAddress. Please note that these do different things. If the user clicks a link on www.apione.com the referer will be set to www.apione.com but the IP will be the IP of the user. Which method you use would depend on how the API is consumed. e.g. If there is some server side process that runs from www.apione.com then the referer would not be much help. Also referer can be easily spoofed.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for the answer. I think I will go down the IP route as I have been doing some tests and this will be sufficient for what I need to do.
0

I realize this is a very old post, but I thought it might be helpful to add a simple, secure practice to address this issue in future implementations.

Embed a random API access token on your page, linked to the session. You can optionally refresh the token at each request if you wish to prevent inadvertent double-submits and so forth.

On the page

token = get random string, 8 to N characters long,
    hashing if you desire greater security
store token in session

write some html
embed the code in a script tag:
    var api_token = '<? echo code; ?>';

append api_token to all SOAP/JSONP requests
when the request returns, replace api_token with the new token

In the service

read api_token
look for api_token in session
if token does not exist, exit
else, continue ...
generate new token
store token in session
append token to response

This basic strategy is good for protecting service requests and validating link-clicks. I.e., you can verify with high certainty that delete.aspx?id=123 originated from manage.aspx or whatever, rather than from someone's FB feed, twitter, short URL service, etc..

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.