Post
Ask Question

How to Secure Your Web Service from Anonymous Access

As we all know, our web service is open and anyone can access it. There is no security --  if anyone knows the url then they can use it.

And it's possible to get secure data using this url; or, with  eCommerce websites, it's possible for someone to place an order from the front end and then after that try to pass parameters using our web service and update the order (confirmed) without paying using our payment options.

And if we are using a wallet system with our web application and it's maintained using our web service then any one can add a wallet balance into their wallet account. So, it's very dangerous for our eCommerce websites.

So, we need to avoid this and put in some security method. Here I have mentioned a security method which we must implement in our all web services (APIs).

For securing your web service from anonymous access we can implement the following options.
  1. Once the API  goes live put the below highlighted tag in web.config file.
    1. <webServices>  
    2.     <protocols>  
    3.         <add name="HttpGet" />  
    4.         <add name="HttpPost" />  
    5.         <remove name="Documentation" />  
    6.     </protocols>  
    7. </webServices>  
    Once we add this tag in web.config file, an end user cannot access it from their browser. If they try to access it then the system gives an error.

  2. We need to generate a unique API Key for each and every site. This unique API Key is declared using <appSetting></appSetting> within web.config.
This key needs to pass each and every method/function, if this API key is matched withthe web site API then it will execute, otherwise it gives an "API key does not match" error.

This API Key will be defined as global.