Watch the video below to see a demo of protecting WebAPI with HTTP header and a Client Secret. By default, new Web API projects lack any security mechanism and are open to any anonymous user. Protecting Dot Net methods with an IF() statement condition provides a simple security mechanism to ensure only users who know the Client Secret are able to run the API and execute the method.
NOTE – Check out https://www.spjeff.com/2017/10/05/video-azure-ad-protected-web-api-in-an-angularjs-spa/ for more complete WebAPI security with Azure AD.
Cheers!

Video
Screenshots

Code
public bool keyMatch()
{
// security HTTP header
string key = "12345678901234567890123456789012345678901234567890";
IEnumerable headerValues;
var keyFilter = string.Empty;
if (Request.Headers.TryGetValues("key", out headerValues))
{
// ALLOW - match key
keyFilter = headerValues.FirstOrDefault();
}
if (keyFilter == key)
{
return true;
}
else
{
return false;
}
}