0

I currently have an ASP.NET MVC and ASP.NET WEB API 2 project (both types of controllers are included in the same project).

I want to ensure that a user cannot directly make a call to the Web Api and get raw data (such as http://domain/api/myaction). However, the Api methods should have the ability to be called by jquery via AJAX, and MVC Controller Actions should also be able to call the Web Api Actions (in cases where the initial View should be rendered with some data that came from the API).

What is the best approach to do something like this, or am I looking at this the wrong way?

Improve this question

1 Answer 1

Reset to default
2

There is no difference between Ajax call and "direct" call. What you should do in any case of actions controller, is validate the request via token or whatever authentication method you have established.

If you are using Microsoft authentication you only need to add the [Authorize] tag above your controller/action.

https://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute(v=vs.118).aspx

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Is it possible then to have some static API user with encrypted credentials in the ajax call in jquery? I just want to prevent a scenario where I user can look at the source code, and be able to abuse the API by directly calling it. I only want jquery and the page itself to be able to make the call.
Web-Api suppose to be available to HTTP requests by definition. I don't know what kind of authentication you are using and if you are using. The answer is depend on the implemented authentication .

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.