(I also asked this question over on StackOverflow.)
What steps can I take to prevent unauthorised access to a method on an unauthenticated controller?
Background
The diagram below illustrates a microsite we're implementing, and an HMAC API we're providing (for several purposes) which returns commercially sensitive data to authenticated consumers. The arrows represent intended (green) and unintended (red) communication.
The microsite allows us to collect data on behalf of a client. It will be reached via an email campaign to their users. We don't have a close relationship with this client, so I don't want to burden them in solving this.
The HMAC API is intended for address autocompletion. There is no login for the microsite. The page has an address input. To enable autocomplete the page makes an AJAX call to the controller's autocomplete suggestion method after each keystroke. The autocomplete suggestion method makes a request to the HMAC API.
The problem
I can't see anything currently preventing consumption of the controller's autocomplete suggestion method.
Considerations
I've read that AnitForgeryTokens aren't useful on GET methods or unsecured pages, and I can't use a one-time token because this method will be called many times.
Question
So how do I secure my controller method?
