I use Asp.net web APIs to provide apis to client (iphone, android, mac os,web,windows,...). I want to implement some API with more security, which I prevent some other understand the parameter in the link (in case they hack the link)
My question is: Can I use Https/SSL for this? Is it enough secure? If yes, Should I install any thing at client side to implement this?
Thanks
It depends on where you are going to host your ASP.NET Web API application. If you are going to host it under IIS, you don't need to do anything special other than configuring SSL through IIS.
One thing you should do IMO is to force HTTPS through your application. You can implement this with different ways (such as IIS URL Redirect module, etc.) but you can also do this at the application level with a message handler:
public class RequireHttpsMessageHandler : DelegatingHandler {
protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) {
if (request.RequestUri.Scheme != Uri.UriSchemeHttps) {
var forbiddenResponse = request.CreateResponse(HttpStatusCode.Forbidden);
forbiddenResponse.ReasonPhrase = "SSL Required";
return Task.FromResult<HttpResponseMessage>(forbiddenResponse);
}
return base.SendAsync(request, cancellationToken);
}
}
HttpClient also supports SSL just like any other .NET web clients. Have a look at this article: http://blogs.msdn.com/b/henrikn/archive/2012/08/07/httpclient-httpclienthandler-and-httpwebrequesthandler.aspx
