Imagine I have an ActionResult like this:
[HttpGet]
public ActionResult Cities(string q)
{
//Return a list of cities that matches parameter
}
How do I stop all other sites apart from mine using this as if it's their own little REST-based service for getting a list of matching cities? Is checking the referrer the only way to go? Or are there any better ideas?
why use REST if you only are using it inside your own project?
make a method out of it in global.asax for example. everything can reach it.
also, are you using this for jquery/json?
a [HttpPost] and $.post could help you out in this case.
How worried about it are you? The referrer can be faked if someone is determined enough.
Do you have some form of user session management already in place -- if so use that, though it still isn't bullet proof if the visitor from another site is also logged into yours.
IF not ... implement something equivalent by setting a cookie in the originating page with a short expiry that must be present (and valid) on the target action.
The only way to prevent other sites from accessing this action is to use some sort of authentication mechanism. You could use a cookie which was encrypted with your machineKey to make sure that the request came from the same domain. For this to work you need to have a login page which will emit the authentication cookie.
How tied to the idea of it being an HttpGet request are you? If it was an HttpPost you could use the AntiForgeryToken and its attribute to ensure that it came from the correct page, this is basically using the cookie method but all nicely wrapped up for you.