At this point, we have managed to create a few API endpoints, but there is a concern that anyone can hit the endpoints from any browser and even manage to modify/delete our game invitations, as long as they know what parameters to pass on. This is a security threat, and you can imagine the implications with an application handling a high level of sensitive functionality.
We will deal with security for ASP.NET Core 3 in Chapter 10, Securing ASP.NET Core 3 Applications, and Chapter 11, Securing ASP.NET Applications – Vulnerabilities, but it is worth noting the available security measures for our web API endpoints. Let's have a look at the following screenshot, which shows the Authorization tab of Postman:
Take note of the different types of authorization that Postman expects, including No Auth, meaning no authorization at all.
Chapter 11, Securing ASP.NET Applications – Vulnerabilities, will give us insight into the common security vulnerabilities that we have to watch out for. With this in mind, it is always important to secure our web API endpoints with any of the following authorization options:
- API key
- Bearer token
- Basic auth
- Digest auth
- OAuth 1.0
- OAuth 2.0
- Hawk authentication
- AWS signature
- NTLM authentication
These authentication options are explained further on the following documentation, which talks about authorization in Postman: https://learning.getpostman.com/docs/postman/sending-api-requests/authorization/.
Apart from making our APIs secure from unwanted users, there are legitimate users that we need to make sure have a great experience using our APIs. One of the ways of helping our users do this is by giving them access to documentation using our API specifications. We will learn how to do this in the next section.