-3

We have an Angular site that is public and a REST WEB API that is public. The site is for all users. How do I stop users from finding out the REST POST calls and submitting them through something like Fiddler ?

My thought is the CORS will restrict what IP address can call the methods right? So is that the answer ? Or can users spoof the IP and still call the WEB API ?

Edit 1: Can someone tell me why CORS is not the answer? As I understand it would restrict the request to only the server the angular application is on right? Which would then not allow the users actually browser to make request? right?

punkouter
  • 5,170
  • 15
  • 71
  • 116
  • "My thought is the CORS will restrict what IP address can call the methods right?" — No. CORS has nothing to do with the IP address of the client. – Quentin Jan 27 '20 at 21:48
  • But then how does anti forgery tokens relate to this problem ? https://www.domstamand.com/secure-your-angularasp-net-core-application-with-anti-forgery-token/ – punkouter Jan 27 '20 at 21:53
  • CSRF defences don't relate to this problem. Not even remotely. – Quentin Jan 27 '20 at 21:56
  • Oh.. I thought anti forgery was about verifying where the request is coming from... And my question is about verifying where the request comes from... but you are saying they are totally different problems/solutions...? ok – punkouter Jan 27 '20 at 21:58
  • 1
    Anti-forgery defences verify that the client was not tricked into submitting the request by a third party (e.g. a page on dodgy-hacker.com containing a form with `action="http://yourbank.com/account/transfer"` prefilled with a request to transfer $1000 to the hacker which is submitted by JS as soon as anyone lands on the page). It has nothing to do with controlling what the client actually is. – Quentin Jan 27 '20 at 22:01
  • "As I understand it would restrict the request to only the server the angular application is on right?" — See https://stackoverflow.com/a/35553666/19068 — Your premise does not involve a browser, nor a third-party. – Quentin Jan 27 '20 at 22:02
  • Not sure why this is an issue, if an user can authenticate through your web app wouldn't that be the same if you can authenticate through fiddler using the same credential? So user is the same... What seems to be the problem if they are doing POST from somewhere else? – penleychan Jan 27 '20 at 22:08
  • Its a public site.. So it seems like the answer is to create a second version on the API with just GETS... doesn't seem right :\ – punkouter Jan 29 '20 at 19:46

1 Answers1

0

There is no way to hide your API if it's public. Basic debugging tools allow to see everything a webbrowser is doing, so the requests to your API are public.

If you don't want to add authentication to your API the only way i can think of really is restricting access with an IP filter.

People can spoof their IP addresses and still send requests to the API, but they wouldn't be able to get an answer, because the returning traffic would go to the spoofed address.

wonderworld
  • 24
  • 1
  • An IP filter will block access by the visitors using the client written in Angular. – Quentin Jan 27 '20 at 21:47
  • What about some way to send a code from angular to the server that public users could not see? Is that possible ? Or can users decrypt any angular ? – punkouter Jan 27 '20 at 21:51
  • The angular application runs in the user's browser. The user's browser belongs to the user. They can *easily* inspect everything it sends to the server. – Quentin Jan 27 '20 at 21:57
  • As users can see all traffic in the webbrowser, they would also see your "secret" request. You can't fix this on browser side without authentication. Monitor the logfiles to find the unauthorized users and block them serverside with a firewall. – wonderworld Jan 27 '20 at 22:01