Ways to secure an anonymous Web API request

Question

I have a ASP.NET MVC (NOT ASP.NET Core) single page application with angular js on the front end.

My client (browser) talks to server

Answer 1

First of all when you remove login and there's no authentication mechanism in your application, there's really no way to secure anything, because anyone can access your APIs. I think what you want is to make sure that your APIs are called only from your own website. Unfortunately you can't completely achieve that, since your web APIs are http/https, and anyone, from anywhere (like postman, fiddler, ...) can create a http request and call your API.

All you can do is to make it harder for your API to response to requests, like using Anti-Forgery as you mentioned.

And also I suggest you add a cookie for your application and check that cookie in every request, in this case it's more complicated ( not impossible ) to call your API using Fiddler or Postman.

And last I suggest that you use CORS, so browsers would only allow your domain to call your APIs. So nobody can call your APIs in a browser from different domain.