We need to identify the proper way for anonymous requests to be made specifically from the website. We desire a result of [AllowAnonymous] for any unauthorized website visitor. We do NOT want to allow requests from any program / client from the open internet for these calls.
Possible solutions
Specific authorization policy that relies on a private header value
Use CORS in some way to restrict which requests make it through. This is preferable as we already have a CORS policy, but we'll still have to get past the authorization middleware.
Filtering of anonymous requests
We need to identify the proper way for anonymous requests to be made specifically from the website. We desire a result of
[AllowAnonymous]
for any unauthorized website visitor. We do NOT want to allow requests from any program / client from the open internet for these calls.Possible solutions