Protect Web API from Cross

2018-06-22 08:49:28

I noticed some traffic recently hitting one of my API endpoints that didn't add up. After looking into IIS logs I determined that it is a bot running on Amazon ec2 and scraping data that I would prefer wasn't available in this manner.

I'm a little confused here because nowhere in my application have I enabled CORS (I don't even have the package installed). Making a call to the offending API endpoint with PostMan I get the following headers back:

Cache-Control → no-cache
Content-Encoding → gzip
Content-Length → 357
Content-Type → application/json; charset=utf-8
Date → Wed, 14 Jan 2015 22:29:24 GMT
Expires → -1
Pragma → no-cache
Server → Microsoft-IIS/8.5
Vary → Accept-Encoding
X-AspNet-Version → 4.0.30319
X-Powered-By → ASP.NET

No Access-Control-Allow-Origin header at all.

As my front end application (which should be the sole consumer of the API at this point) is served up from the same domain as the API itself I would prefer to restrict access to that domain exclusively. Am I missing something obvious here? Or do I somehow need to install the CORS package and explicitly mark my API with [DisableCors] .

Unless I misunderstood your question:

CORS is for script (XMLHTTPRequest) access origins.

If the "bot" is making requests to your endpoint/API resource some other way, eg GET from a browser, or a server-side call, then its not a CORs matter.

In reality, your API will actually still respond to a script request, it's the client (browser) that looks for the header and determines what to do.

The setting in ASP.Net/web.config controls whether or not Response will include the Access-Control-Allow-Origin header (which the receiving browser/client evaluates).

Hth...

链接地址: http://www.djcxy.com/p/62772.html

上一篇: Cors不能解决交叉来源请求

下一篇: 从Cross保护Web API