How to secure a controller on WebAPI for use by only the local machine

Question

I have an ASP.NET MVC website that makes use of WebAPI, SignalR.

I wish for my server (the same server that hosts the website) to make HTTP requests to a WebAPI cont

Answer 1

I wanted to clarify as to whether HttpRequest.Context.Request.IsLocal is secure or not.

I just decomplied IsLocal() from HttpWorkerRequest and it reveals the following code:

internal bool IsLocal()
{
    string remoteAddress = this.GetRemoteAddress();
    if (string.IsNullOrEmpty(remoteAddress))
    {
        return false;
    }
    if (remoteAddress == "127.0.0.1" || remoteAddress == "::1")
    {
        return true;
    }
    if (remoteAddress == this.GetLocalAddress())
    {
        return true;
    }
    return false;
}

The first two checks look fine, but I was suspicious and wanted to check to see what this.GetLocalAddress() returns to check against.

In the instance of System.Web.Hosting.IIS7WorkerRequest, this decompiles to the following:

public override string GetLocalAddress()
{
    return this.GetServerVariable("LOCAL_ADDR");
}

In my local environment this returns 127.0.0.1, so all looks good!

Also, according to this post, localhost can't be spoofed.