Use CORS rules in ASP.NET Web API implementations to allow other domains to access your API. In this example we allow everyone:
var response = Request.CreateResponse<Whatever>(HttpStatusCode.OK, whatever);
response.Headers.Add("Access-Control-Allow-Origin", "*");
return response;
You have to explicitly allow other domains or they are shut out. Thinktecture IdentityModel is, I believe, a helper for making the CORS stuff less awkward to use amongst other things. The security stuff for the ASP.NET Web API is underwhelming me hence far. I attended a talk once were one asked about how to protect an ASP.NET Web API method from being hit over and over again by an outsider (from a bot at the browser/ping level), and honestly the reality is that security hole is the same security hole that every plain Jane web site has too. The way to fight a denial of service attack is to block offending IPs. A distributed denial of service attack is a bigger, rarer, more beautiful thing that probably won't happen to you. If you need to authenticate someone hitting an API that does a POST, PUT, or DELETE, you will have the same Session stuff you have in just changing from one controller action to another in an MVC app. Meh. Happy Thanksgiving everyone!
No comments:
Post a Comment