asked on mvc api security
Assume I have super simple MVC API. Our customer will use html jquery to consume the API.
I want to add one token per customer. for example,
customer A token: asdfasdfasfasfasd
customer B token: 23423423423234dsf
1. If the customer's webpage put above token there to consume my API, it has security concern because I can see the token in view source.
2. What is the simple way to implment API with token? I only have 2 to 5 API so I do not need very complex one.
I want to add one token per customer. for example,
customer A token: asdfasdfasfasfasd
customer B token: 23423423423234dsf
1. If the customer's webpage put above token there to consume my API, it has security concern because I can see the token in view source.
2. What is the simple way to implment API with token? I only have 2 to 5 API so I do not need very complex one.
[System.Web.Http.HttpGet]
public string Get(string firstname)
{
return firstname;
}
.NET MVCSecurity
Last Comment
Jose Gabriel Ortega Castro
ASKER
Thank You. But let me tell you more in details.
All I need is to give API - end point to our customer. It is actually the company. I will give them end point and token so their company develop can consume our API using e.g. jquery ajax to consume/read the information through API.
No one will login in this situation.
All I need is to give API - end point to our customer. It is actually the company. I will give them end point and token so their company develop can consume our API using e.g. jquery ajax to consume/read the information through API.
No one will login in this situation.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
The solution is to use a "POST" call instead of a GET :)
[HttpPost]
public string Get(string firstname)
{
//validate request and token as header then return
return firstname;
}
Anyway, if you want to make it more secure, the session HAS to start with a login form. After hashing, salting and checking against the user database, and the login is successful, issue a cookie and check this cookie for the rest of the session.
Obviously, you probably need 5 times the amount of code you didn't expect you'd need. But with any time of security, you'll have to do some more work.