protect web service, web handler in public restrict to an owner domains


1) I have java scrip chart on one page, it bind data in java script on client side. the binding are expose to client. I do not own the chart source code - but it is hosted on my server.
2) to get data i call, using ajax, to web handler to my server and get data from that handler - simple text (ashx).

here is the problem how to protect my data in #2 so that no thief can get my data.
Chart page is available to public use, no log in require.

Here is my current idea.
1) may be generate some encrypted key from server side , including in key, current time, user ip and unique id etc.
2) when call for data server see it. save the key in data server.
- 2.1 if then user come again using same ip - but different unique id, then i block access to older key.
- 2.1. a user however may never refresh page - then how to handle this??
- 2.2. can 2 users have the same ip???
- 2.3. i will have tons of older key to block the thief users.
1) when user open a page send user id to data server - set expire time there
2) if key expire then data server will block that key
2.1.a user again may never refresh page and i may end up block legitimate users.

Who has some clever idea.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kyle AbrahamsSenior .Net DeveloperCommented:
2.2 Multiple Users can have the same IP.  

The best way to do this is to check the urlReferrer:

If the urlReferrer is your server, process the request.  If not, then don't allow it.
JSW21Author Commented:
Hello Kyle
That is sure good idea, just one more thing however,  
if the service is call directly what will happen to
Uri MyUrl = Request.UrlReferrer;

Kyle AbrahamsSenior .Net DeveloperCommented:
the  Request.UrlReferrer is whoever invoked the page . . . eg where the request is coming from.  It needs to come from somewhere, or else it's null.

In your case you would want to validate that the request came from your front end server.  The other trick to this is to have the key generated as you said.


Create a key (Guid.NewGuid() works), store in the database.   (Do this directly from the front end, don't create a method in the service).
Invoke the service, passing the key.
The service checks to make sure
     1)  The UrlReferrer is your front end
     2)  The key is valid
if the key doesn't exist or the urlReferrer is not your front end url . . . then you have an issue, handle the fake request.

If the key exists and it's from your front end, delete the key and pass back the data.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Applications

From novice to tech pro — start learning today.