Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeUsing DNN Platf...Using DNN Platf...Using Modules a...Using Modules a...How to make an HttpGet method of WebAPI service secure?How to make an HttpGet method of WebAPI service secure?
Previous
 
Next
New Post
8/8/2015 1:00 PM
 
Apeksha Shah


Joined: 8/6/2010
Posts: 98

Hello,

I have a module, where I am building a WebAPI service to retrieve data through jQuery AJAX. The main purpose of this is to improve performance. Some of this data is sensitive and I would like to make the service secure.

I looked into implementing ValidateAntiForgeryToken, but it appears to be for HttpPost methods only, the ones that modify data. http://www.dnnsoftware.com/answers/va...

So how do I make a Get method secure? It does not modify any data on invocation, only retrieves some secure data for the calling page. I already have the "DnnAuthorize" attribute on the method.

Thanks.
 
New Post
8/9/2015 9:47 PM
 
Clint Patterson


Joined: 5/26/2009
Posts: 366

You should be able to do this in the way you define your class. Check out blog entry on Creating the Web Service class in my module development blog series. Scroll down to the "Allow Anonymous" paragraph and you can see where you can update the security levels of your HTTPGET requests there

Hope this is helpful...
 
New Post
8/10/2015 12:21 PM
 
Apeksha Shah


Joined: 8/6/2010
Posts: 98

Thank you Clinton, for the reply and for the great article. I followed that article when working with DNN Web APIs for the first time.

Unfortunately, I am not able to use DNNModuleAuthorize as my module has its own permission settings, where admins can assign actions to roles. I just want to make sure that a registered user is accessing the service, and the rest can be handled by the module. I am wondering if just the DNNAuthorize attribute on the method is secure enough - for example, against CSRF attack.

Appreciate your input.
 
New Post
8/12/2015 10:11 AM
 
Clint Patterson


Joined: 5/26/2009
Posts: 366

From what I am aware the ValidateAntiForgery token is what is there to prevent the CSSRF attacks
 
New Post
8/12/2015 12:05 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676
To prevent cross-site scripting you need to use HttpPost requests not Get requests (and you also need to use ValidateAntiForgery token's)
Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
 Page 1 of 2
12Next 
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Using Modules a...Using Modules a...How to make an HttpGet method of WebAPI service secure?How to make an HttpGet method of WebAPI service secure?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out