How to check if the calling web service is my website?

Question

How to check if the calling web service is my website?

For security reasons, I need to ensure that only a web client running on a particular website can access the web service. I do the verification only at the request of the domain, but I need to make it even more reliable. I find it too easy to break my security check.

+3

javascript web-applications asp.net web-services

Nitai bezerra Nov 26 '09 at 12:57

source share

7 answers

, HTTP-, , Tamper Data: https://addons.mozilla.org/en-US/firefox/addon/966

cookie, , .

0

leepowers 26 . '09 1:38

-, IP- ( - ).

, , - , , , .

- ? ?

@powtac , - , , , .

, - ; - - - - :)

0

Adrian K 26 . '09 1:40

- .

- - -. - - ( auth SSL, , - ).

, , . -, HTML-, . , - .. -. , .

0

Randy Levy 26 . '09 2:21

, -, (, ), , , x //? .

0

Pekka 웃 26 . '09 2:25

ASP.NET, , , - . cookie , -, , .

0

Dave Ward 26 . '09 2:28

.

fixed typo thanks Nosredna

-1

powtac Nov 26 '09 at 1:30

source share

inklesspen · Accepted Answer · 2009-11-26T01:35:20+0000

Sign the marker (I recommend using HMAC, at least with SHA-1). This site provides sample code for ASP.NET; I do not use .NET, so I can not check this code.

Provide the client with the HMAC token. Ask the customer to send him back to the web service with each request.

In the web service, simply verify the HMAC signature.

If your token never changes, some attackers can observe it in the client code and copy it. You can get around this by making the marker a timestamp and allowing tokens only if they are within a certain period of time, or by binding the marker to a specific user in any way.

As a safety measure, referents are not enough; they can be deleted by proxies or tampered with by malicious clients.

How to check if the calling web service is my website?

More articles: