Deny direct URL access to action method

Question

I\'m trying to find a way to deny any direct access to my action methods. Basically what I want my users to click on links to navigate instead of typing the URL directly into th

Answer 1

It is impossible to securely ensure that an authorized user CANNOT spoof a valid request.
After all, if the browser can create a "valid request", then so can an authorized user!

However, this is an unusual requirement, and I'm interested to know what's the motivation behind it?

There are, however, a number of ways to make it harder to spoof the request.
Since no methods will be completely secure, you can try to obfuscate and make it tedious for someone to spoof your requests.

As others have suggested, you could create a random "token" per session and require it in the URL (either as a path or as a querystring).

It would be even better to use JavaScript for this. Render a hidden input with this "token". Then, intercept each link's click event, append the "token" value to the URL, then navigate to the URL.

You can enhance the JavaScript to somehow "process" your token before using it, and minify your JavaScript to obfuscate it ... this would definitely deter even the above-average users from tinkering with your URLs.

There are tons of possible solutions, but the "right" solution really depends on what specific behavior you are trying to prevent.