controller access denoyed

Question

controller access denoyed

Samiullah Barki 1

My C# controller method was call by postman how to stop it from calling it.

0 comments

3 answers

Your answer

Answer 1

Anonymous

Hi @Samiullah Barki ,

Whether your application is an .NET application (asp.net core or asp.net 5,6) or a .NET Framework application (.NET Framework 1.0 - 4.8)?

My C# controller method was call by postman how to stop it from calling it.

To this issue, you can't prevent the API/MVC controller method called by the postman. You can reject the request based on the source IP or port, the headers including user agent, API keys or other credentials, but if your API can be accessed at all, then it can be accessed by postman or any other client using the same data.

To limit the way how people can access the data you can add API keys and user credentials, but the same user with the same API key and credentials will be able to access your API using any other software (like postman) and there is no way around it.

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best regards,
Dillion

Samiullah Barki 1 Reputation point

2022-03-08T06:05:21.47+00:00

My controller was not an API controller it was just a normal controller if some one inspect my web page then it can easily see the name of controller and method name also see the parameters then how i can save it from calling it to from other source like postman
Anonymous

2022-03-08T09:33:07.877+00:00

Hi @Samiullah Barki ,

You can protect the controller via the Authorization or JWT token, then only the authenticated users could access the relates controller. But by using this method, the authorization information or JWT token will stored on the client side and add them in the request header, if the user gets this information, he can also access the controller via the postman (in the postman directly add the authorization information or JWT token in the request header).

So you still can't prevent the controller to be called from the Postman.

To protect the controller, as mentioned in previous, you can use Asp.net core Authorization (Assume your application is an Asp.net core application, if it isn't an asp.net core application, you can search relates article about Asp.net) or use JWT Authentication In ASP.NET Core, then, you can set the cookie's expired time (generally the user credentials was stored in cookie) or token expired time.

Here are some tutorials you can refer to them:

JWT Authentication In ASP.NET Core

ASP.NET Core Identity and Claims-based authorization in ASP.NET Core

Best regards,
Dillion

Answer 2

Bruce (SqlWork.com) 84,086

Web site are an open api. There is no way to inforce the controllers to only be called by the site web pages. There are dozen of screen scraper tools to support by passing the pages.

You should assume the controllers are called by via outside sources, verify the data and user access.

0 comments

Answer 3

AgaveJoe 31,361

Use the authentication and authorization features.

Simple authorization in ASP.NET Core

0 comments

Share via

controller access denoyed

3 answers

Your answer