5

I have a MVC Controller which exposes a Initialise Action. The other virtual web application hosted on same IIS will need to access this Action.

For security reason, only request coming from same web server (where MVC app is hosted) will need to be granted access to this Iniliase method.

Could someone please help how to achieve this? We can't use localhost to validate as this application will be hosted in Azure which doesn't support locahost requests.

Yuck
  • 49,664
  • 13
  • 105
  • 135
Nil Pun
  • 17,035
  • 39
  • 172
  • 294

5 Answers5

6

My answer is regarding restricting server-side requests.

The website that calls Initialise would need to make a request to http://www.example.com/controller/Initialise rather than http://localhost/controller/Initialise (replacing www.example.com and controller with your domain and controller names of course).

HttpRequest.IsLocal should be checked in your controller action:

if (!Request.IsLocal)
{
    throw new SecurityException();
}

This will reject any requests not coming from the local host. This approach assumes that both the calling site and the requested site share the same IP address - the documentation states that this should work:

The IsLocal property returns true if the IP address of the request originator is 127.0.0.1 or if the IP address of the request is the same as the server's IP address.

For restricting client-side requests Google "csrf mitigation".

Senad Meškin
  • 13,597
  • 4
  • 37
  • 55
SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
1

If your server has multiple ip addresses, you'll need some extra code. The following handles multiple ip addresses, and handles CDN like cloudflare which will have the wrong ip address in the Request.UserHostAddress property.

Code:

private bool IsLocal()
{
    if (Request.IsLocal)
    {
        return true;
    }
    string forwardIP = Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
    foreach (NetworkInterface netInterface in NetworkInterface.GetAllNetworkInterfaces())
    {
        IPInterfaceProperties ipProps = netInterface.GetIPProperties();
        foreach (UnicastIPAddressInformation addr in ipProps.UnicastAddresses)
        {
            string ipString = addr.Address.ToString();
            if (Request.UserHostAddress == ipString || forwardIP == ipString)
            {
                return true;
            }
        }
    }
    return false;
}
jjxtra
  • 20,415
  • 16
  • 100
  • 140
  • HTTP_X_FORWARDED_FOR can be spoofed, so if you aren't using a CDN it is probably better to remove it entirely. – jjxtra Dec 22 '15 at 15:33
0

Access-Control-Allow-Origin tells the browser regarding its accessibility to domains. Try specifying:

HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "yourdomain")

I have not tested this to find out if this works.

KrishnaDhungana
  • 2,604
  • 4
  • 25
  • 37
0

Use the AntiForgeryToken provided by ASP.NET MVC. Here is an article about that.

http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

Khalid Abuhakmeh
  • 10,709
  • 10
  • 52
  • 75
0

I think Request.IsLocal is the way to go here. Since you're on using MVC, you could implement a custom attribute to do this for you. See my answer here for a working example

Community
  • 1
  • 1
Chris HG
  • 1,412
  • 16
  • 20