I'm working with ASP.NET Core 8.0.
I have a 2 part system (both using Windows authentication):
- a frontend that accepts asynchronous request from the client
- a backend API (restful)
Clients should make POST/DELETE request through AJAX calls to the frontend which would pass the requests to the API.
I'm impersonating requests from the frontend to the API. But I'm wondering how can I work with anti-forgery tokens?
The frontend can have a anti-forgery token passed to the client and back. But the API should also be sure that requests are made from a trusted source, hence anti-forgery tokens.
But how do I impersonate both the user and anti-forgery tokens? Is my thought process wrong?
Actually, there is no need to let the web api know the client contains the anti-forgery tokens.
You have three part, client , frontend. The client will call your frontend and frontend will send the request to the web api.
The frontend can have an anti-forgery token passed to the client and back.
If you want to increase the security, you could firstly write the logic to check the client at frontend with anti-forgery token or else to make sure the client is security or not.
Then inside the web api side, you just need to check if this request is sent from your trusted frontend by using IP adress or specific token which just for the frontend.