Asp.Net MVC4 stopping people requesting or posting data to my API


I want to be able to use AJAX to Get/Post to an API controller in my MVC4 application.

However, I don't want anyone to be able to setup a web page and get/post to the controller - only from web pages delivered from my server.

So, should I just use a normal controller and return data, rather than an API controller? (or have I misunderstood that using the API controller opens up the web application to any Get/Post?)

Thanks, Mark


This is a possible duplicate of <a href="https://stackoverflow.com/q/15366436/304832" rel="nofollow">my question here</a>. In a nutshell, the only way to secure API endpoints is to have the clients authenticate somehow. This can be done with a normal ASP.NET auth cookie, if you decorate the controllers / actions with the [Authorize] attribute. You could also roll your own solution using API keys or whitelist IP addresses. <a href="http://codebetter.com/johnvpetersen/2012/04/02/making-your-asp-net-web-apis-secure/" rel="nofollow">See this link</a> for a laundry list of options.

The answer I posted to my own question does make it more difficult for non-consumers of my web app to invoke API endpoints, though as Darin points out, it can be circumvented. Users could go to the web app to obtain the encrypted AnonymousID and custom encryption cookie, plug those into Fiddler2 (or any other client), and hit the API as much as they wanted for 24-48 hours.


  • How can I know what was the latest changes made to a branch?
  • Replacing the Translator service in Symfony 3
  • Implementing a friends relationship in Symfony3 with Doctrine
  • Run JUnit Test from a java web application
  • Producing content indefinitely in a separate thread for all connections?
  • WCF multiple services same contract in same Config
  • Authenticating using OfficeDev/office-js-helpers rather than adal
  • For a np.array([1, 2, 3]) why is the shape (3,) instead of (3,1)? [duplicate]
  • What changes can I make to a cloud-endpoint (app-engine) return object before I need a new API versi
  • Obtain access token for both Microsoft Graph and individual service API endpoints (Outlook REST APIs
  • Cast uint -> double invalid?
  • yii2 create translated URLs
  • ActionBar three-dot dropdown opens at the wrong place
  • TelephonyManager crashing on android studio
  • What to use (best/good practice) for the secret key in HMAC solution?
  • Save and retrieve an image file in LibGDX
  • IIS7 Application Request Routing HTTPS
  • How to use the File System Events API in Swift?
  • Access 2007 forms with parameterized RecordSource
  • Column Nullability/Optionality: NULL vs NOT NULL
  • What's the benefit of the trailing apostrophe in character literals
  • something very wrong with SESSIONS
  • Deserialize XML string to complex type
  • Merge list of objects into consistent list based on common matching attribute in Python
  • Insert records if not exist SQL Server 2005
  • EF 4.1 DBContext AutoDetectChangesEnabled
  • Unique Permutations - with exceptions
  • Android custom URI scheme incorrectly encoded when type in browser
  • Request response issues in biztalk
  • HTML5 video only works in IE. The other browsers shows the black screen
  • Doctrine2 bulk import try to work with another entity
  • Cloud Code function running twice
  • Sending cookie value via httpget but not getting the desired response
  • Chrome doesn't support silverlight anymore? How to solve this?
  • Ajax Loaded meta Tags
  • Xamarin Forms - UWP Fonts
  • FB SDK and cURL: Unknown SSL protocol error in connection to graph.facebook.com:443
  • Arrow is showed instead of the material design version hamburger icon. Why doesn't syncState in
  • 0x202A in filename: Why?
  • Arrays break string types in Julia