How do I protect a public ASMX page that posts important data to my database
I have a site in development with several web services (ASMX) that post important data to my database. When I navigate to the ASMX file in my browser, I can fill in the form with the parameters and post to the DB. If someone finds the URL to my WS, the开发者_如何学Cy can severely alter my database. I want to prevent people from being able to post to my WS publicly. So far, I've thought of two things that may help but I'd like to know if there are any other ways:
- Check to see if the HTTP Referrer to the WS method is the domain the WS is on
- Add an additional parameter called Key to all important WS methods and have this be an encrypted "password." Then encrypt my stored password on the WS side and compare if the keys match.
If there are any other best practices or techniques I can use to secure my WS, please share!
Some of these might be helpful to you:
- Securing IIS
- Building Secure Webservices with SOAP Headers
- Build Webservices with SSL
Also please note that the test webpage (which shows sample tetboxes) should only be accessible from the local machine, if it is viewable from other machines there is probably a configuration issue going on.
The easiest thing to do is to just disable that test page. You can do this by adding the following to your web.config of your web service:
<webServices>
<protocols >
<remove name="HttpGet"/>
<remove name="HttpPost"/>
<remove name="HttpPostLocalhost"/>
</protocols>
Also, here is a decent article on other ways to secure your web service, including adding authentication in the soap header.
If the referrer is in the same domain then an easy way would be to set a cookie in the referring page and then check for the existence of the cookie in the ASMX (plus whatever other checks you want to implement). Note that the domain has to be the same otherwise this technique won't work.
精彩评论