19 Oct 2015
public string MyMethod(string sampleParameter)
Uri urlReferrer = ((System.Web.HttpContextWrapper)Request.Properties["MS_HttpContext"]).Request.UrlReferrer;
if (urlReferrer != null)
if (urlReferrer.AbsolutePath.ToLower().Contains("/sites/MySiteCollection") && urlReferrer. Host.ToLower().Contains(“MyDomain”))
// Do the actual stuff
return "Not a Valid Request";
Hence, on the above code, if the WebAPI is being called directly, the urlReferrer will not have our site collection url. Hence, the Method will return a “Not a valid Request” message.
When the request comes from our site collection, then only the web api will respond.
Though this looks very small, it is really important when considering the security.