Securing anonymous asp.net core 2.0 API

I’ve read a lot of posts on here and in other places but I can’t quite figure out what I should be doing to secure my API properly.

I’ve developed an anonymous questionnaire angularjs 1.* app that calls an asp.net core 2.0 web api. Users never authenticate and may, should they wish to, add their email address at the end of the process.

FYI, it’s a CQRS backend and is hosted on an Azure VM.

I initially thought I would be able to use a service like Auth0 to create a token for a temporary user that contained both a unique ID for the person completing the questionnaire (like a sessionId) and the unique ID for the questionnaire being created (these are generated at the beginning of the process). However, I’m not sure this is right and I can’t figure out how to do that and also verify it on the server (would I write a custom authorisation handler or similar)!

I also planned to use an API key (generated by Auth0) and validate that on each call. This seems easy enough although I’m not sure how I would secure the API key as it would be held in the client JavaScript.

Any advice would be greatly appreciated.

Also posted on stackoverflow:angularjs - Securing anonymous asp.net core 2.0 API - Stack Overflow

From the situation you describe you won’t be requiring any sort of end-user authentication and the API will be called from a browser-based application available over the Internet. A browser-based application, in OAuth2 terminology, would qualify as a public client (aka a client that is unable to perform client authentication given it cannot securely maintain any notion of a secret).

If you want to allow anonymous access (no end-user authentication) and any sort of client authentication is also not feasible then the API needs to also allow anonymous access. In this scenario you’ll likely need to consider other stuff like rate limiting and captcha if you want to have some sort of protection from abuse.

Thanks so much for the response. You’re right I don’t need any end-user authentication and yes the application is called from a browser. However in theory it could be called by anything (I’m not sure how I could restrict that). I’ve added CORS restrictions but as I understand it that can easily be “faked”.

I’ve added rate limiting on your recommendation but not sure if there is anything else I can do. I might add a client API key for good measure but this will be stored in the client in JS so is easy to find even in the minified code.

Thanks so much for the response. You’re right I don’t need any end-user authentication and yes the application is called from a browser. However in theory it could be called by anything (I’m not sure how I could restrict that). I’ve added CORS restrictions but as I understand it that can easily be “faked”.

I’ve added rate limiting on your recommendation but not sure if there is anything else I can do. I might add a client API key for good measure but this will be stored in the client in JS so is easy to find even in the minified code.