Watch the video below to see a demo of protecting WebAPI with HTTP header and a Client Secret. By default, new Web API projects lack any security mechanism and are open to any anonymous user. Protecting Dot Net methods with an IF() statement condition provides a simple security mechanism to ensure only users who know the Client Secret are able to run the API and execute the method.

NOTE – Check out https://www.spjeff.com/2017/10/05/video-azure-ad-protected-web-api-in-an-angularjs-spa/ for more complete WebAPI security with Azure AD.

Cheers!

Video

Screenshots

Code

public bool keyMatch()
{
	// security HTTP header
	string key = "12345678901234567890123456789012345678901234567890";
	IEnumerable headerValues;
	var keyFilter = string.Empty;
	if (Request.Headers.TryGetValues("key", out headerValues))
	{
		// ALLOW - match key
		keyFilter = headerValues.FirstOrDefault();
	}
	if (keyFilter == key)
	{
		return true;
	}
	else
	{
		return false;
	}
}

References

https://stackoverflow.com/questions/14967457/how-to-extract-custom-header-value-in-web-api-message-handler
https://www.grc.com/passwords.htm
http://spjeff.azurewebsites.net/

SPBestWarmup	SPLaunch
SPPatchify	SPCrud

spcrud	101 commits
sppatchify	159
spbestwarmup	115
office365	95
insanemove	56
spquery	10
sosgrid	18
HelloTime	18
dbftw	11
todo-karma-coverage	14
sp-peoplepicker	10

spbestwarmup	20,386 downloads
splaunch	133
spupgradehelper	75
infopathdb	1,270
spdash	896
comb	649

VIDEO – HTTP Header Client Secret protected Web API

Video

Screenshots

Code

References

Cloud Ready

Videos

VIDEO – HTTP Header Client Secret protected Web API

Video

Screenshots

Code

References

Connect

Tags

Cloud Ready

Videos