Ways to secure an anonymous Web API request

Question

I have a ASP.NET MVC (NOT ASP.NET Core) single page application with angular js on the front end.

My client (browser) talks to server through ASP.NET Web APIs. Now, the web application is on https but anonymous. There is no login/ user authentication.

The web app is in the form of a wizard where user can go back and forth and add or update input fields on the web page. The form input values are then updated on the server through Web API.

I'm looking for a way to secure my Web API calls alone, especially the POST/ PUT requests. In summary, I want to prevent any user calling my Web API directly from POSTMAN or Fiddler. The Web API, though anonymous can be only called from the browser session where the request originated.

• What are options do I have to achieve this?

• Can I use Anti-Forgery token here (without authentication)?

• One way, I can think of achieving this is to add a custom header to each request and store some kind of session key in the header. Then, validate the custom header on every request I received from client. Are any other ways of achieving this out-of-box or some proven library without going for custom solution?

• If I have to go for the above custom solution, what are the pitfalls or potential issues I need to be aware of?

Answer 1

First of all when you remove login and there's no authentication mechanism in your application, there's really no way to secure anything, because anyone can access your APIs. I think what you want is to make sure that your APIs are called only from your own website. Unfortunately you can't completely achieve that, since your web APIs are http/https, and anyone, from anywhere (like postman, fiddler, ...) can create a http request and call your API.

All you can do is to make it harder for your API to response to requests, like using Anti-Forgery as you mentioned.

And also I suggest you add a cookie for your application and check that cookie in every request, in this case it's more complicated ( not impossible ) to call your API using Fiddler or Postman.

And last I suggest that you use CORS, so browsers would only allow your domain to call your APIs. So nobody can call your APIs in a browser from different domain.

Answer 2

Based on answer from @Arvin and comment from @Evk, here's how I plan to proceed:

• Once, the user starts the anonymous session generate a GUID using regular Guid.NewGuid() method and save it in DB to identify the request (I'm doing this now). However, as mentioned here,

GUID can be unique but they are not cryptographically secured.

• Hence, instead of using plain-text GUID, encrypt it with current timestamp as token and append it with request query string.

• For every subsequent API request, read the token from query string, decrypt it and validate it as follows:

  • Check the timestamp. If the time difference is more than pre-defined time (i.e. token expired), reject the request

  • Validate the unique id (GUID) against DB

• Since, I'm not using plain text GUID anymore, the URI would not easy to guess.

Additionally, with the timestamp, URI is invalidated after sometime. While theoretically it is still possible to call the API through Fiddler but this should make it very difficult for the attacker, if not impossible.

• As a further security measure, I can also add Anti-Forgery token to the request

As per my understanding this helps solving my underlying problem and with this approach, I may not even need add a cookie to secure my anonymous session.

Love to hear from you all if this approach looks good and how can it be improved.