Action to only allow request from same webserver
I have a MVC Controller which exposes a Initialise Action. The other virtual web application hosted on same IIS will need to access this Action.
For security reason, only request coming from same web server (where MVC app is hosted) will need to be granted access to this Iniliase method.
Could someone please help how to achieve this? We can't use localhost to validate as this application will be hosted in Azure which doesn't support locahost requests.
asp.net-mvc security
edited Dec 27 '18 at 15:06
Yuck
37.5k1289121
asked Dec 15 '13 at 11:29
Nil Pun
7,07032131248
add a comment |
I have a MVC Controller which exposes a Initialise Action. The other virtual web application hosted on same IIS will need to access this Action.
For security reason, only request coming from same web server (where MVC app is hosted) will need to be granted access to this Iniliase method.
Could someone please help how to achieve this? We can't use localhost to validate as this application will be hosted in Azure which doesn't support locahost requests.
asp.net-mvc security
edited Dec 27 '18 at 15:06
Yuck
37.5k1289121
asked Dec 15 '13 at 11:29
Nil Pun
7,07032131248
How isInitialiseto be called? Via AJAX, via a server side call or via another method?
– SilverlightFox
Dec 16 '13 at 13:17
Via server thanks
– Nil Pun
Dec 17 '13 at 3:49
add a comment |
I have a MVC Controller which exposes a Initialise Action. The other virtual web application hosted on same IIS will need to access this Action.
For security reason, only request coming from same web server (where MVC app is hosted) will need to be granted access to this Iniliase method.
Could someone please help how to achieve this? We can't use localhost to validate as this application will be hosted in Azure which doesn't support locahost requests.
asp.net-mvc security
edited Dec 27 '18 at 15:06
Yuck
37.5k1289121
asked Dec 15 '13 at 11:29
Nil Pun
7,07032131248
I have a MVC Controller which exposes a Initialise Action. The other virtual web application hosted on same IIS will need to access this Action.
For security reason, only request coming from same web server (where MVC app is hosted) will need to be granted access to this Iniliase method.
Could someone please help how to achieve this? We can't use localhost to validate as this application will be hosted in Azure which doesn't support locahost requests.
asp.net-mvc security
asp.net-mvc security
edited Dec 27 '18 at 15:06
Yuck
37.5k1289121
asked Dec 15 '13 at 11:29
Nil Pun
7,07032131248
edited Dec 27 '18 at 15:06
Yuck
37.5k1289121
asked Dec 15 '13 at 11:29
Nil Pun
7,07032131248
edited Dec 27 '18 at 15:06
Yuck
37.5k1289121
edited Dec 27 '18 at 15:06
Yuck
37.5k1289121
edited Dec 27 '18 at 15:06
Yuck
37.5k1289121
37.5k1289121
asked Dec 15 '13 at 11:29
Nil Pun
7,07032131248
asked Dec 15 '13 at 11:29
Nil Pun
7,07032131248
asked Dec 15 '13 at 11:29
Nil Pun
7,07032131248
7,07032131248
How isInitialiseto be called? Via AJAX, via a server side call or via another method?
– SilverlightFox
Dec 16 '13 at 13:17
Via server thanks
– Nil Pun
Dec 17 '13 at 3:49
add a comment |
How isInitialiseto be called? Via AJAX, via a server side call or via another method?
– SilverlightFox
Dec 16 '13 at 13:17
Via server thanks
– Nil Pun
Dec 17 '13 at 3:49
How is
Initialise to be called? Via AJAX, via a server side call or via another method?– SilverlightFox
Dec 16 '13 at 13:17
How is
Initialise to be called? Via AJAX, via a server side call or via another method?– SilverlightFox
Dec 16 '13 at 13:17
Via server thanks
– Nil Pun
Dec 17 '13 at 3:49
Via server thanks
– Nil Pun
Dec 17 '13 at 3:49
add a comment |
5 Answers
5
active
oldest
votes
My answer is regarding restricting server-side requests.
The website that calls Initialise would need to make a request to http://www.example.com/controller/Initialise rather than http://localhost/controller/Initialise (replacing www.example.com and controller with your domain and controller names of course).
HttpRequest.IsLocal should be checked in your controller action:
if (!Request.IsLocal)
{
thrown new SecurityException();
}
This will reject any requests not coming from the local host. This approach assumes that both the calling site and the requested site share the same IP address - the documentation states that this should work:
The IsLocal property returns true if the IP address of the request originator is 127.0.0.1 or if the IP address of the request is the same as the server's IP address.
For restricting client-side requests Google "csrf mitigation".
answered Dec 17 '13 at 9:55
SilverlightFox
22.1k851112
add a comment |
Access-Control-Allow-Origin tells the browser regarding its accessibility to domains. Try specifying:
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "yourdomain")
I have not tested this to find out if this works.
answered Dec 15 '13 at 12:25
KrishnaDhungana
1,67231626
add a comment |
Use the AntiForgeryToken provided by ASP.NET MVC. Here is an article about that.
http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
answered Dec 16 '13 at 13:31
Khalid Abuhakmeh
6,78894172
add a comment |
I think Request.IsLocal is the way to go here. Since you're on using MVC, you could implement a custom attribute to do this for you. See my answer here for a working example
edited May 23 '17 at 12:00
Community♦
11
answered Jun 18 '14 at 11:06
Dobin the Code Horse
926916
add a comment |
If your server has multiple ip addresses, you'll need some extra code. The following handles multiple ip addresses, and handles CDN like cloudflare which will have the wrong ip address in the Request.UserHostAddress property.
Code:
private bool IsLocal()
{
if (Request.IsLocal)
{
return true;
}
string forwardIP = Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
foreach (NetworkInterface netInterface in NetworkInterface.GetAllNetworkInterfaces())
{
IPInterfaceProperties ipProps = netInterface.GetIPProperties();
foreach (UnicastIPAddressInformation addr in ipProps.UnicastAddresses)
{
string ipString = addr.Address.ToString();
if (Request.UserHostAddress == ipString || forwardIP == ipString)
{
return true;
}
}
}
return false;
}
answered Dec 17 '15 at 5:00
jjxtra
11.9k1265111
HTTP_X_FORWARDED_FOR can be spoofed, so if you aren't using a CDN it is probably better to remove it entirely.
– jjxtra
Dec 22 '15 at 15:33
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f20593972%2faction-to-only-allow-request-from-same-webserver%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
My answer is regarding restricting server-side requests.
The website that calls Initialise would need to make a request to http://www.example.com/controller/Initialise rather than http://localhost/controller/Initialise (replacing www.example.com and controller with your domain and controller names of course).
HttpRequest.IsLocal should be checked in your controller action:
if (!Request.IsLocal)
{
thrown new SecurityException();
}
This will reject any requests not coming from the local host. This approach assumes that both the calling site and the requested site share the same IP address - the documentation states that this should work:
The IsLocal property returns true if the IP address of the request originator is 127.0.0.1 or if the IP address of the request is the same as the server's IP address.
For restricting client-side requests Google "csrf mitigation".
answered Dec 17 '13 at 9:55
SilverlightFox
22.1k851112
add a comment |
My answer is regarding restricting server-side requests.
The website that calls Initialise would need to make a request to http://www.example.com/controller/Initialise rather than http://localhost/controller/Initialise (replacing www.example.com and controller with your domain and controller names of course).
HttpRequest.IsLocal should be checked in your controller action:
if (!Request.IsLocal)
{
thrown new SecurityException();
}
This will reject any requests not coming from the local host. This approach assumes that both the calling site and the requested site share the same IP address - the documentation states that this should work:
The IsLocal property returns true if the IP address of the request originator is 127.0.0.1 or if the IP address of the request is the same as the server's IP address.
For restricting client-side requests Google "csrf mitigation".
answered Dec 17 '13 at 9:55
SilverlightFox
22.1k851112
add a comment |
My answer is regarding restricting server-side requests.
The website that calls Initialise would need to make a request to http://www.example.com/controller/Initialise rather than http://localhost/controller/Initialise (replacing www.example.com and controller with your domain and controller names of course).
HttpRequest.IsLocal should be checked in your controller action:
if (!Request.IsLocal)
{
thrown new SecurityException();
}
This will reject any requests not coming from the local host. This approach assumes that both the calling site and the requested site share the same IP address - the documentation states that this should work:
The IsLocal property returns true if the IP address of the request originator is 127.0.0.1 or if the IP address of the request is the same as the server's IP address.
For restricting client-side requests Google "csrf mitigation".
answered Dec 17 '13 at 9:55
SilverlightFox
22.1k851112
My answer is regarding restricting server-side requests.
The website that calls Initialise would need to make a request to http://www.example.com/controller/Initialise rather than http://localhost/controller/Initialise (replacing www.example.com and controller with your domain and controller names of course).
HttpRequest.IsLocal should be checked in your controller action:
if (!Request.IsLocal)
{
thrown new SecurityException();
}
This will reject any requests not coming from the local host. This approach assumes that both the calling site and the requested site share the same IP address - the documentation states that this should work:
The IsLocal property returns true if the IP address of the request originator is 127.0.0.1 or if the IP address of the request is the same as the server's IP address.
For restricting client-side requests Google "csrf mitigation".
answered Dec 17 '13 at 9:55
SilverlightFox
22.1k851112
edited Feb 24 '18 at 5:49
answered Dec 17 '13 at 9:55
SilverlightFox
22.1k851112
answered Dec 17 '13 at 9:55
SilverlightFox
22.1k851112
answered Dec 17 '13 at 9:55
SilverlightFox
22.1k851112
22.1k851112
add a comment |
add a comment |
Access-Control-Allow-Origin tells the browser regarding its accessibility to domains. Try specifying:
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "yourdomain")
I have not tested this to find out if this works.
answered Dec 15 '13 at 12:25
KrishnaDhungana
1,67231626
add a comment |
Access-Control-Allow-Origin tells the browser regarding its accessibility to domains. Try specifying:
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "yourdomain")
I have not tested this to find out if this works.
answered Dec 15 '13 at 12:25
KrishnaDhungana
1,67231626
add a comment |
Access-Control-Allow-Origin tells the browser regarding its accessibility to domains. Try specifying:
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "yourdomain")
I have not tested this to find out if this works.
answered Dec 15 '13 at 12:25
KrishnaDhungana
1,67231626
Access-Control-Allow-Origin tells the browser regarding its accessibility to domains. Try specifying:
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "yourdomain")
I have not tested this to find out if this works.
answered Dec 15 '13 at 12:25
KrishnaDhungana
1,67231626
answered Dec 15 '13 at 12:25
KrishnaDhungana
1,67231626
answered Dec 15 '13 at 12:25
KrishnaDhungana
1,67231626
answered Dec 15 '13 at 12:25
KrishnaDhungana
1,67231626
1,67231626
add a comment |
add a comment |
Use the AntiForgeryToken provided by ASP.NET MVC. Here is an article about that.
http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
answered Dec 16 '13 at 13:31
Khalid Abuhakmeh
6,78894172
add a comment |
Use the AntiForgeryToken provided by ASP.NET MVC. Here is an article about that.
http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
answered Dec 16 '13 at 13:31
Khalid Abuhakmeh
6,78894172
add a comment |
Use the AntiForgeryToken provided by ASP.NET MVC. Here is an article about that.
http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
answered Dec 16 '13 at 13:31
Khalid Abuhakmeh
6,78894172
Use the AntiForgeryToken provided by ASP.NET MVC. Here is an article about that.
http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
answered Dec 16 '13 at 13:31
Khalid Abuhakmeh
6,78894172
answered Dec 16 '13 at 13:31
Khalid Abuhakmeh
6,78894172
answered Dec 16 '13 at 13:31
Khalid Abuhakmeh
6,78894172
answered Dec 16 '13 at 13:31
Khalid Abuhakmeh
6,78894172
6,78894172
add a comment |
add a comment |
I think Request.IsLocal is the way to go here. Since you're on using MVC, you could implement a custom attribute to do this for you. See my answer here for a working example
edited May 23 '17 at 12:00
Community♦
11
answered Jun 18 '14 at 11:06
Dobin the Code Horse
926916
add a comment |
I think Request.IsLocal is the way to go here. Since you're on using MVC, you could implement a custom attribute to do this for you. See my answer here for a working example
edited May 23 '17 at 12:00
Community♦
11
answered Jun 18 '14 at 11:06
Dobin the Code Horse
926916
add a comment |
I think Request.IsLocal is the way to go here. Since you're on using MVC, you could implement a custom attribute to do this for you. See my answer here for a working example
edited May 23 '17 at 12:00
Community♦
11
answered Jun 18 '14 at 11:06
Dobin the Code Horse
926916
I think Request.IsLocal is the way to go here. Since you're on using MVC, you could implement a custom attribute to do this for you. See my answer here for a working example
edited May 23 '17 at 12:00
Community♦
11
answered Jun 18 '14 at 11:06
Dobin the Code Horse
926916
edited May 23 '17 at 12:00
Community♦
11
edited May 23 '17 at 12:00
Community♦
11
edited May 23 '17 at 12:00
Community♦
11
11
answered Jun 18 '14 at 11:06
Dobin the Code Horse
926916
answered Jun 18 '14 at 11:06
Dobin the Code Horse
926916
answered Jun 18 '14 at 11:06
Dobin the Code Horse
926916
926916
add a comment |
add a comment |
If your server has multiple ip addresses, you'll need some extra code. The following handles multiple ip addresses, and handles CDN like cloudflare which will have the wrong ip address in the Request.UserHostAddress property.
Code:
private bool IsLocal()
{
if (Request.IsLocal)
{
return true;
}
string forwardIP = Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
foreach (NetworkInterface netInterface in NetworkInterface.GetAllNetworkInterfaces())
{
IPInterfaceProperties ipProps = netInterface.GetIPProperties();
foreach (UnicastIPAddressInformation addr in ipProps.UnicastAddresses)
{
string ipString = addr.Address.ToString();
if (Request.UserHostAddress == ipString || forwardIP == ipString)
{
return true;
}
}
}
return false;
}
answered Dec 17 '15 at 5:00
jjxtra
11.9k1265111
HTTP_X_FORWARDED_FOR can be spoofed, so if you aren't using a CDN it is probably better to remove it entirely.
– jjxtra
Dec 22 '15 at 15:33
add a comment |
If your server has multiple ip addresses, you'll need some extra code. The following handles multiple ip addresses, and handles CDN like cloudflare which will have the wrong ip address in the Request.UserHostAddress property.
Code:
private bool IsLocal()
{
if (Request.IsLocal)
{
return true;
}
string forwardIP = Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
foreach (NetworkInterface netInterface in NetworkInterface.GetAllNetworkInterfaces())
{
IPInterfaceProperties ipProps = netInterface.GetIPProperties();
foreach (UnicastIPAddressInformation addr in ipProps.UnicastAddresses)
{
string ipString = addr.Address.ToString();
if (Request.UserHostAddress == ipString || forwardIP == ipString)
{
return true;
}
}
}
return false;
}
answered Dec 17 '15 at 5:00
jjxtra
11.9k1265111
HTTP_X_FORWARDED_FOR can be spoofed, so if you aren't using a CDN it is probably better to remove it entirely.
– jjxtra
Dec 22 '15 at 15:33
add a comment |
If your server has multiple ip addresses, you'll need some extra code. The following handles multiple ip addresses, and handles CDN like cloudflare which will have the wrong ip address in the Request.UserHostAddress property.
Code:
private bool IsLocal()
{
if (Request.IsLocal)
{
return true;
}
string forwardIP = Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
foreach (NetworkInterface netInterface in NetworkInterface.GetAllNetworkInterfaces())
{
IPInterfaceProperties ipProps = netInterface.GetIPProperties();
foreach (UnicastIPAddressInformation addr in ipProps.UnicastAddresses)
{
string ipString = addr.Address.ToString();
if (Request.UserHostAddress == ipString || forwardIP == ipString)
{
return true;
}
}
}
return false;
}
answered Dec 17 '15 at 5:00
jjxtra
11.9k1265111
If your server has multiple ip addresses, you'll need some extra code. The following handles multiple ip addresses, and handles CDN like cloudflare which will have the wrong ip address in the Request.UserHostAddress property.
Code:
private bool IsLocal()
{
if (Request.IsLocal)
{
return true;
}
string forwardIP = Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
foreach (NetworkInterface netInterface in NetworkInterface.GetAllNetworkInterfaces())
{
IPInterfaceProperties ipProps = netInterface.GetIPProperties();
foreach (UnicastIPAddressInformation addr in ipProps.UnicastAddresses)
{
string ipString = addr.Address.ToString();
if (Request.UserHostAddress == ipString || forwardIP == ipString)
{
return true;
}
}
}
return false;
}
answered Dec 17 '15 at 5:00
jjxtra
11.9k1265111
answered Dec 17 '15 at 5:00
jjxtra
11.9k1265111
answered Dec 17 '15 at 5:00
jjxtra
11.9k1265111
answered Dec 17 '15 at 5:00
jjxtra
11.9k1265111
11.9k1265111
HTTP_X_FORWARDED_FOR can be spoofed, so if you aren't using a CDN it is probably better to remove it entirely.
– jjxtra
Dec 22 '15 at 15:33
add a comment |
HTTP_X_FORWARDED_FOR can be spoofed, so if you aren't using a CDN it is probably better to remove it entirely.
– jjxtra
Dec 22 '15 at 15:33
HTTP_X_FORWARDED_FOR can be spoofed, so if you aren't using a CDN it is probably better to remove it entirely.
– jjxtra
Dec 22 '15 at 15:33
HTTP_X_FORWARDED_FOR can be spoofed, so if you aren't using a CDN it is probably better to remove it entirely.
– jjxtra
Dec 22 '15 at 15:33
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f20593972%2faction-to-only-allow-request-from-same-webserver%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
How is
Initialiseto be called? Via AJAX, via a server side call or via another method?– SilverlightFox
Dec 16 '13 at 13:17
Via server thanks
– Nil Pun
Dec 17 '13 at 3:49