question

MattBanes-6445 avatar image
0 Votes"
MattBanes-6445 asked Bruce-SqlWork answered

Blazor Webassembly Hosted - Restrict API Calls to App

I'm putting together a small, temporary app using the Blazor Webassembly .NET hosted model. I'm trying to find out if there is a way to restrict calls to the server-side controllers in the app to the UI only. For example, I want the app to be able to access the controllers, but don't want a user to be able to call the API directly after just being able to see it in the developer tools network tab.

The app will not be authenticated in this case, it's more I just want to keep the workflow going through the UI.

dotnet-aspnet-core-blazor
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Web API is stateless. The UI must pass something to Web API that identifies the UI. Maybe Basic Authentication is enough?

HTTP authentication

There's also the security docs.

Introduction to authorization in ASP.NET Core


0 Votes 0 ·

Basic auth might be a good option for this. I thought about using CORS settings to require the request come from the app's address, but it seems to be ignoring those as well.

0 Votes 0 ·

1 Answer

Bruce-SqlWork avatar image
0 Votes"
Bruce-SqlWork answered

No you can not.

Even if the site is just web pages, the gets and posts (controller actions) are a public api. Just google screen scraping to see the tools available to do this.

You actions should not trust data more than required. You should verify the data is valid for the user. for example, if a user id is passed, you should validate that the authenticated user has access to that userid, and can perform the requested action on that userid.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.