0

We are developing an MVC application which links to a Web API. Currently, in order to do any calls to the API, the Javascript makes an AJAX call to the API sending a username and password for authentication. The API validates the username and password and sends back a security token. Then a second AJAX call is made to do the actual business logic, sending the security token with it.

We want to move away from this method since exposing the username and password in the Javascript is a security hole.

What we're looking at is a way to get the API to recognize where the call is coming from. For example, if the call is coming from our website, it's legitimate. Otherwise, the call is denied access.

Is there a way to do this? If so, are there any online walkthroughs on how to setup the API to do this? Thanks.

gib65
  • 141
  • 3
  • 16
  • So basically you just want to get out the Client identity? Similar to this? https://stackoverflow.com/questions/735350/how-to-get-a-users-client-ip-address-in-asp-net – Harry Oct 23 '17 at 22:26
  • That could work. What I'd have to do is compile a list of IP addresses on the API server. I'm guessing this can be done through IIS. Any advice on this? – gib65 Oct 24 '17 at 19:29
  • Not sure what you mean by compile a list of IP addresses on IIS, if you are talking about your persistent store on the server that stores tokens and client-id's, you need to implement your own datastore for it as IIS does not provide any datastore. – Harry Oct 24 '17 at 21:38

0 Answers0