You are previewing ASP.NET Web API Security Essentials.
O'Reilly logo
ASP.NET Web API Security Essentials

Book Description

Take the security of your ASP.NET Web API to the next level using some of the most amazing security techniques around

About This Book

  • This book has been completely updated for ASP.NET Web API 2.0 including the new features of ASP.NET Web API such as Cross-Origin Resource Sharing (CORS) and OWIN self-hosting

  • Learn various techniques to secure ASP.NET Web API, including basic authentication using authentication filters, forms, Windows Authentication, external authentication services, and integrating ASP.NET’s Identity system

  • An easy-to-follow guide to enable SSL, prevent Cross-Site Request Forgery (CSRF) attacks, and enable CORS in ASP.NET Web API

  • Who This Book Is For

    This book is intended for anyone who has previous knowledge of developing ASP.NET Web API applications. Good working knowledge and experience with C# and.NET Framework are prerequisites for this book.

    What You Will Learn

  • Secure your web API by enabling Secured Socket Layer (SSL)

  • Manage your application’s user accounts by integrating ASP.NET’s Identity system

  • Ensure the security of your web API by implementing basic authentication

  • Implement forms and Windows authentication to secure your web API

  • Use external authentication such as Facebook and Twitter to authenticate a request to a web API

  • Protect your web API from CSRF attacks

  • Enable CORS in your web API to explicitly allow some cross-origin requests while rejecting others

  • Fortify your web API using OAuth2

  • In Detail

    This book incorporates the new features of ASP.NET Web API 2 that will help you to secure an ASP.NET Web API and make a well-informed decision when choosing the right security mechanism for your security requirements.

    We start by showing you how to set up a browser client to utilize ASP.NET Web API services. We then cover ASP.NET Web API’s security architecture, authentication, and authorization to help you secure a web API from unauthorized users. Next, you will learn how to use SSL with ASP.NET Web API, including using SSL client certificates, and integrate the ASP.NET Identity system with ASP.NET Web API.

    We’ll show you how to secure a web API using OAuth2 to authenticate against a membership database using OWIN middleware. You will be able to use local logins to send authenticated requests using OAuth2. We also explain how to secure a web API using forms authentication and how users can log in with their Windows credentials using integrated Windows authentication. You will come to understand the need for external authentication services to enable OAuth/OpenID and social media authentication. We’ll then help you implement anti-Cross-Site Request Forgery (CSRF) measures in ASP.NET Web API.

    Finally, you will discover how to enable Cross-Origin Resource Sharing (CORS) in your web API application.

    Style and approach

    Each chapter is dedicated to a specific security technique, in a task-based and easy-to-follow way. Most of the chapters are accompanied with source code that demonstrates the step-by-step guidelines of implementing the technique, and includes an explanation of how each technique works.

    Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at If you purchased this book elsewhere, you can visit and register to have the code file.

    Table of Contents

    1. ASP.NET Web API Security Essentials
      1. Table of Contents
      2. ASP.NET Web API Security Essentials
      3. Credits
      4. About the Author
      5. Acknowledgments
      6. About the Reviewer
        1. Support files, eBooks, discount offers, and more
          1. Why subscribe?
          2. Free access for Packt account holders
      8. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
          1. Conventions
        4. Reader feedback
        5. Customer support
          1. Downloading the example code
          2. Errata
          3. Piracy
          4. Questions
      9. 1. Setting up a Browser Client
        1. ASP.NET Web API security architecture
        2. Setting up your browser client
          1. Implementing Web API lookup service
            1. Adding a model
            2. Adding a controller
          2. Consuming the Web API using JavaScript and jQuery
            1. Getting a list of contacts
            2. Getting a contact by ID
            3. Running the application
        3. Authentication and authorization
          1. Authentication
          2. Authorization
        4. Implementing authentication in HTTP message handlers
        5. Setting the principal
        6. Using the [Authorize] attribute
          1. Global authorization filter
          2. Controller level authorization filter
          3. Action level authorization filter
        7. Custom authorization filters
        8. Authorization inside a controller action
        9. Summary
      10. 2. Enabling SSL for ASP.NET Web API
        1. Enforcing SSL in a Web API controller
        2. Using client certificates in Web API
          1. Creating an SSL Client Certificate
          2. Configuring IIS to accept client certificates
          3. Verifying Client Certificates in Web API
        3. Summary
      11. 3. Integrating ASP.NET Identity System with Web API
        1. Creating an Empty Web API Application
        2. Installing the ASP.NET Identity NuGet packages
        3. Setting up ASP.NET Identity 2.1
          1. ASP.NET Identity
        4. Defining Web API Controllers and methods
          1. Testing the application
        5. Summary
      12. 4. Securing Web API Using OAuth2
        1. Hosting OWIN in IIS and adding Web API to the OWIN pipeline
        2. Individual User Account authentication flow
        3. Sending an unauthorized request
        4. Get an access token
        5. Send an authenticated request
        6. Summary
      13. 5. Enabling Basic Authentication using Authentication Filter in Web API
        1. Basic authentication with IIS
        2. Basic authentication with custom membership
        3. Basic authentication using an authentication filter
        4. Setting an authentication filter
          1. Action-level authentication filter
          2. Controller-level authentication filter
          3. Global-level authentication filter
        5. Implementing a Web API authentication filter
        6. Setting an error result
        7. Combining authentication filters with host-level authentication
        8. Summary
      14. 6. Securing a Web API using Forms and Windows Authentication
        1. Working of Forms authentication
        2. Implementing Forms authentication in Web API
        3. What is Integrated Windows Authentication?
        4. Advantages and disadvantages of using the Integrated Windows Authentication mechanism
        5. Configuring Windows Authentication
        6. Difference between Basic Authentication and Windows authentication
        7. Enabling Windows authentication in Katana
        8. Summary
      15. 7. Using External Authentication Services with ASP.NET Web API
        1. Using OWIN external authentication services
          1. Creating an ASP.NET MVC Application
        2. Implementing Facebook authentication
        3. Implementing Twitter authentication
        4. Implementing Google authentication
        5. Implementing Microsoft authentication
        6. Discussing authentication
        7. Summary
      16. 8. Avoiding Cross-Site Request Forgery Attacks in Web API
        1. What is a CSRF attack?
        2. Anti-forgery tokens using HTML Form or Razor View
          1. How does an Anti-forgery token work?
        3. Anti-forgery tokens using AJAX
        4. Summary
      17. 9. Enabling Cross-Origin Resource Sharing (CORS) in ASP.NET Web API
        1. What is CORS?
        2. How CORS works
        3. Setting the allowed origins
        4. Setting the allowed HTTP methods
        5. Setting the allowed request headers
        6. Setting the allowed response headers
        7. Passing credentials in cross-origin requests
        8. Enabling CORS at various scope
          1. Enable at action level
          2. Enable at controller level
          3. Enable CORS globally
        9. Summary
      18. Index