Localhost only endpoint

Question

Let's say that I have an API accessible for anybody from the Internet, but one endpoint e.g

hxxps://my-domain.com/local I'd want to be only accessible from localhost

Are there other possibilities when it comes to creating localhost only endpoint than checking whether IP is

::1 | localhost |127.0.0.1 ?

Or some tricks at HTTP Server(nginx) level?

Answer 1

There are a few possibilities:

• Mark it with #DEBUG pragma - so it will be only in debug mode
• Overriding ExecuteAsync and check for feature flag (see Conditionally disable ASP.NET MVC Controller)
• Block it on load balancer before your application (a lot of dotnet core apps are self-hosted and access s through localhost. For example Azure App Service)
• Use custom authentication
• Use a feature flag (like config entry ore environment variable) and check it inside blocked controller
• Use a feature flag (like above) and a custom policy with such check (read more: https://learn.microsoft.com/en-gb/aspnet/core/security/authorization/policies?view=aspnetcore-2.2)

Answer 2

Generally, no. However, I don't think this is the best plan anyways. When you push something public, you should assume all things are public. If there's something you don't want accessed by just anyone, then auth is your answer. That also buys you more flexibility for what it's worth. Whatever needs to communicate locally with this API, may not always live on the same server. If you use auth, you can move it anywhere without issue. Otherwise, it's stuck on the same server, whether that ends up making sense in the long run or not.

Your next best alternative is to separate out the functionality, and host internal-only stuff internally. Trying to make one API serve both internal-only and external requests is only adding unnecessary complication.