Core WebAPI ASP.NET Security Considerations

Question

Core WebAPI ASP.NET Security Considerations

My WebAPI is just an API backend for my user interface. In fact, I will probably have 10 WebAPI services that my user interface will use.

I find it difficult to understand what I need to consider in terms of security.

My APIs are protected with carrier tokens and only allow https. I have CORS and they only allow the beginning. https://my-front.endIt all works fine.

How can I protect against C / XSRF and repeated attacks on WebAPI? Do I even need to?

Configuring anti-CSRF is pretty painless with the ASP.NET MVC project, but how can you do it on WebAPI, since I understand that it relies on sending information generated on the server to the client to send along the request body and through another channel (for example cookie or header). I read that you can protect against repeated attacks using nonce (like a timestamp and a random number) - some of them - but cannot find implementation examples.

Is there anything else I need to consider?

Edit: front end uses vue.js, but we have a very competent JS programmer, so any front-end implementations will not be a problem. This is just a question of what needs to be done!

It is also worth noting that for obviousness, WebAPI and FrontEnd run on different servers, so these are, in fact, cross-origin calls.

+6

javascript c# asp.net-core asp.net-core-webapi

Mardoxx 17 '17 18:48

1

MindingData · Accepted Answer · 2017-05-17T22:33:48+0000

. , XSRF . ConfigureServices AntiForgery .

public void ConfigureServices(IServiceCollection services)
{
    services.AddAntiforgery(x => x.HeaderName = "X-XSRF-TOKEN");
    services.AddMvc();
}

. API - , , . , , , , .

, cookie. Cookie, , , .

public class HomeController : Controller
{
    private readonly IAntiforgery _antiForgeryService;

    public HomeController(IAntiforgery antiForgeryService)
    {
        _antiForgeryService = antiForgeryService;
    }

    public IActionResult GetToken()
    {
        var token = _antiForgeryService.GetTokens(HttpContext).RequestToken;
        HttpContext.Response.Cookies.Append("XSRF-TOKEN", token, new CookieOptions { HttpOnly = false });
        return new StatusCodeResult(StatusCodes.Status200OK);
    }
}

IAntiforgery ( "AddMVC", .net- ).

, cookie . .

jQuery, legwork

<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/js-cookie/2.1.4/js.cookie.min.js"></script>
<script type="text/javascript">
    var token = Cookies.get("XSRF-TOKEN");

    $.ajax({
        url: "/",
        contentType: "application/json",
        type: "POST",
        headers: {
            "X-XSRF-TOKEN": token
        }
    });
</script>

, AngularJS . $http, cookie "XSRF-TOKEN", . Vue, , .

, , , cookie CSRF. CSRF.

/ AntiForgery.

[AutoValidateAntiforgeryToken]
public class HomeController : Controller
{

, :

Setup.net Core AntiForgery , CSRF.
, cookie/header
.
(Not cookie)

: http://dotnetcoretutorials.com/2017/05/18/csrf-tokens-angularjsjquery-asp-net-core/

Core WebAPI ASP.NET Security Considerations

More articles: