Click here to Skip to main content
15,868,016 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
How can we secure a web api , which serves mobile application and a single page web application.

What I have tried:

Have researched there are different techniques, including cookies,jwt , but jwt is quite new and don't have enough resources to make it working in .net.
Posted
Updated 25-Feb-17 2:32am
v2

1 solution

And by secure what do you actually mean? Do you mean, that unauthorized access should be prevented? In that case, you need an authentication system. ASP.NET Web API already has that feature, it is called Identity.

ASP.NET Identity 2.1 with ASP.NET Web API 2.2 (Accounts Management) - Part 1 - Bit of Technology[^]

ASP.NET has the Identity framework itself, all that you need to do is enable the accounts to also contain the tokens or authentication keys to use with Web API. Since your mobile application, is also powered by the same web application, you can try to register the users using the same application — username/password. Just add a form for the user, to fill in and then authenticate them.

If you want Web API to have a different authentication system, then look into OAuth. OAuth 2.0 — OAuth[^].

The working of the Web API and authentication was also a bit explained in one of my previous articles, Facial biometric authentication on your connected devices[^], skip to the parts where it mentions authentication system, then read the method there.

For other types of security, such as SQL Injection, XSS attacks etc, please read the complete go through section of Security on ASP.NET documentation[^]. They provide even a broader concept and ways to secure your application against most prominent attacks against your website, or data.
 
Share this answer
 
Comments
Member 9129971 23-Mar-17 10:30am    
I have a c# webapi , angular web app and android,ios apps using same api. Now i want to secure it by all means.For example i dont want to expose client id's for that i am going to generate a random token against userid,password on login time and will after getting token client side will use this token for future requests.I will store this token in databse against customerid so that when customer requests api using token then i will get customerid from database using token and will provide data for that specific customer. Any improvements in this technique or any other better option. Do you think there may be any loop hole in this technique which i am missing?

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900