User Agent Based Route Blocking
Summary
This NuGet library allows you to block certain routes based on whether or not they have a certain user agent. It is a very simple way of doing API based authorisation. It also has the ability to allow certain referrers through, which can help enable your swagger to work for example, or help limit user agents coming from a certain site.
An example might be you want to limit anyone from hitting https://api.example.com/v1/create-user.json unless they have the user agent EXAMPLE.COM-FRONTEND
which your front end client sends. You could then also only allow requests with that user agent from https://example.com
and also https://api.example.com
(the latter which would allow your swagger to work for example).
How to use
Configuration is set through your appsettings.json (or you can inject as environment variables).
Some how to use notes
- The path check does a "starts with" check. Meaning to protect
https://api.example.com/v1
you would enter inUserAgentBasedRouteBlocking:Paths
"/v1". This also means it acts like a wildcard meaning anything which starts with "/v1" is protected. Eg:/v1/create.json
,/v1/upload.json
etc - User agent does a contains check, meaning
Mozilla
would coverMozilla 5.0 - Linux
for example. - Referrer does a "contains" check, meaning
https://example.com/a-page
would be covered by settinghttps://example.com
in your config
In your appsettings.json you need a structure of:
{
"UserAgentBasedRouteBlocking": {
"Paths": [
LIST
OF
PATHS
TO
CHECK
],
"Referrer": {
"AllowAll": bool - optional defaults to false,
"Allowed": [
LIST
OF
ALLOWED
REFERRERS
]
},
"UserAgent": {
"AllowAll": bool - optional defaults to false,
"Allowed": [
LIST
OF
ALLOWED
USER
AGENTS
]
}
}
}
Below is an example which:
- Checks the paths,
/v1/hello-world.json
,/v1/diagnostics
and/v2
- It is important to note that this checks the start of the route, so for example
/v2/api.json
would be covered by/v2
- It is important to note that this checks the start of the route, so for example
- Allows requests from
https://google.com
,https://facebook.com
,https://apiconsumer.com
- Allows requests from user agents
API Consumer User Agent
andAPI Consumer2 User Agent
{
"UserAgentBasedRouteBlocking": {
"Paths": [
"/v1/hello-world.json",
"/v1/diagnostics",
"/v2/"
],
"Referrer": {
"AllowAll": false,
"Allowed": [
"https://google.com",
"https://facebook.com",
"https://apiconsumer.com"
]
},
"UserAgent": {
"AllowAll": false,
"Allowed": [
"API Consumer User Agent",
"API Consumer2 User Agent"
]
}
}
}
As you have provided allowed lists for user agents and referrers, you do not need to set the AllowAll property for each.