How to secure a .net core API project
I have a web app written in Angular 4 running behind IIS with the required SSL and one-to-one certificate mapping.
This SSL web ui application calls the .net core API project which also uses SignalR to pass it to the ui application.
They run two different URLs on the same domain.
https://ui.mysite.com
https://api.mysite.com
Both applications are NOT publicly available and require good security.
I find it convenient to block the ui site through separate certificates. The SSL certificate is found through a trusted certification authority and then creates self-signed certificates for client authentication.
What would you suggest to block the api site in the outside world so that only the ui site can access it (and internal developers inside our network for debugging purposes, i.e. looking at json responses)?
I've seen people mention oauth2 / jwt? Any examples?
The only people who need access are people in our company, but on devices that cannot be connected to our internal network, that is, to mobile phones or laptops while traveling.
source to share
You can definitely use JWT to secure web APIs.
Here's a good starting point: https://dev.to/samueleresca/developing-token-authentication-using-aspnet-core
Basically the way this implementation works is every controller or action with an attribute [Authorize]
requires an access token to be sent via the Authorization
request header . This access token is obtained by sending a POST request to /api/token
with a username and password. Each key has a preset expiration time, which you can change in the code.
It's a simple JWT, but you can also extend it with assertions like roles.
source to share