I have a controller that I’m using specifically for AJAX stuff, i.e. jquery makes a call to a particular URL and it passes back some json. However, some of the actions in this controller make use of services that we pay for and I don’t want other people to be able to call these outside of my app.
I’ve seen this question which restricts access to a controller by IP which is all well and good, but since technically this will be called client-side I can’t use this kind of restriction.
So how do I go about doing this? Or am I going about it the wrong way?
Edit: Would doing it as a POST rather than a GET be better?
Edit2: I think I need to explain more. The ajax call is to a URL in my web app. That controller is for an action which then (server-side) calls the web service from the lookup service.
So it sounds like you are using an external postcode lookup service (where I assume you pay-per-request) and you don’t want someone else to make postcode lookup requests by piggy-backing on your service, where you will get charged?
The first thing you should do is check whether your service provider allows you to specify a whitelist of referrers. Since many of these apis mean your “api key” is in javascript somewhere, this is often used to only allow service requests (using your key) from a specific host or ip address.
With this done, you’ll want to ensure that your post code lookup action is only called from pages within your site.
You can do this with some kind of anti forgery token on the client. Phil Haack posted recently about getting this to work with AJAX posts.