I have a third-party React page which makes some API calls to .NET backend. I need a way to restrict people from hacking API by changing values of the request.

When someone opens the third-party page it should only allow to view that specific information only.

My APIs are protected with bearer token, yet one can change the parameter values of a API request and access other information.

One solution is to pass GUID value of the resource, instead of ID value.

Is there any other way using a custom attribute / policy to restrict APIs being queried with different values

Open for suggestions.

I have a third-party React page which makes some API calls to .NET backend. I need a way to restrict people from hacking API by changing values of the request.

When someone opens the third-party page it should only allow to view that specific information only.

My APIs are protected with bearer token, yet one can change the parameter values of a API request and access other information.

One solution is to pass GUID value of the resource, instead of ID value.

Is there any other way using a custom attribute / policy to restrict APIs being queried with different values

Open for suggestions.

• c#
• reactjs
• asp.net-web-api
• websecurity

• 2 The server-side needs to verify that the specific user has access to the specific resource. There is no magic way to do that. You need to build that. – mjwills Commented yesterday
• If you want to search for ideas / documentation, the concept is called Authorization. Authentication - which you appear to already be doing - is the part establishing the identity of the user. Authorization is deciding whether that user can do this thing they're trying to do. – sellotape Commented yesterday
• Yes, I do have Authorization and Authentication in place, my issue is I need to restrict API calls for one specific Value. Ex : GetCustomer(100) should only return customer with ID 100 and even making a call to GetCustomer(101) should return status 400. – Shivanka Commented 18 hours ago
• You might have authorization in the sense that you have .AddAuthorization() and .UseAuthorization() in your code, but that is only the very beginning. Authorization IS the process of restricting those calls. As @mjwills says, you need to write code to do it (in the API). ASP.NET provides a lot of plumbing for it - and the rabbit-hole is pretty deep - but it cannot know the rules you want to impose, and ultimately you need to write those yourself in code. – sellotape Commented 16 hours ago

1 Answer 1

Authentication vs. Authorization

Authentication: This is the process of verifying a user's identity. For instance, when Alice logs in with her username and password, the server uses the password to authenticate her.

Authorization: This process determines if an authenticated user is permitted to perform a specific action. For example, Alice may have permission to retrieve a resource but not create one.

Microsoft provides some essential tools like claims, roles, and policies to implement authorization, but a significant part of the work must be customized to your specific needs for your application.

For more detailed information and practical examples, you can visit Microsoft's official documentation on ASP.NET Core Security. see here