I want to be able to use AJAX to Get/Post to an API controller in my MVC4 application.
However, I don't want anyone to be able to setup a web page and get/post to the controller - only from web pages delivered from my server.
So, should I just use a normal controller and return data, rather than an API controller? (or have I misunderstood that using the API controller opens up the web application to any Get/Post?)
This is a possible duplicate of <a href="https://stackoverflow.com/q/15366436/304832" rel="nofollow">my question here</a>. In a nutshell, the only way to secure API endpoints is to have the clients authenticate somehow. This can be done with a normal ASP.NET auth cookie, if you decorate the controllers / actions with the [Authorize] attribute. You could also roll your own solution using API keys or whitelist IP addresses. <a href="http://codebetter.com/johnvpetersen/2012/04/02/making-your-asp-net-web-apis-secure/" rel="nofollow">See this link</a> for a laundry list of options.
The answer I posted to my own question does make it more difficult for non-consumers of my web app to invoke API endpoints, though as Darin points out, it can be circumvented. Users could go to the web app to obtain the encrypted AnonymousID and custom encryption cookie, plug those into Fiddler2 (or any other client), and hit the API as much as they wanted for 24-48 hours.