You are currently viewing Restrict IP Address in ASP.NET Web API

Restrict IP Address in ASP.NET Web API

There are several ways to restrict access to a Web server based on the requestor’s IP address.  We can do that from IIS or using inbound Firewall rules. But If you want to restrict access to one of the applications deployed in the server based on the IP Address then you have to achieve that programmatically.  In this post, we will see how to restrict IP addresses in ASP.NET Web API.

Check this Post for restricting IP Addresss in ASP.NET Core Web API

We will discuss the following in this post

  • How to get the incoming IP Address
  • What are Whitelist and Blacklist 
  • Writing a Handler to implement IP Filtering
  • Recommended readings and courses

Get the incoming IP address:

Let’s built an extension method for HttpRequestMessage to retrieve the IP address.  The method for getting the IP address from the request varies depends on the hosting method. The following method gets the IP address from the request message.  It works with the following hosting methods.

  • OWIN Hosting
  • Web Hosting
  • Self Hosting
public static string GetIP(this HttpRequestMessage requestMessage) 
  // Owin Hosting 
  if (requestMessage.Properties.ContainsKey("MS_OwinContext")) 
    return HttpContext.Current != null ? HttpContext.Current.Request.GetOwinContext()
.Request.RemoteIpAddress : null; 
  // Web Hosting 
  if (requestMessage.Properties.ContainsKey("MS_HttpContext")) 
    return HttpContext.Current != null ? HttpContext.Current.Request.UserHostAddress : null; 
  // Self Hosting 
  if (requestMessage.Properties.ContainsKey(RemoteEndpointMessageProperty.Name)) 
    RemoteEndpointMessageProperty property = 
(RemoteEndpointMessageProperty)requestMessage .Properties[RemoteEndpointMessageProperty.Name]; 
    return property != null ? property.Address : null; 
  return null; 

Whitelist vs Blacklist

Now we have the IP address of the incoming request. We need to verify this against a list.  When I say list, you can use this list to grant or deny access.   If you use the list to grant access, it is called Whitelist else it is called Blacklist.

  • Whitelisting – Allow traffic only to known addresses
  • Blacklisting – Allow all traffic and block only known addresses

For this example, I am going to use a whitelist of IP Address.  I have stored the IP Address in CSV format on the web.config. Alternatively, we can use a table-driven approach that allows the admin to add update entries easily.

<add key="WhiteListedIPAddresses" value="," />

Validate incoming IP against the Whitelist

I have another extension method on HttpRequestMessage to verify whether the IP address of the incoming request is whitelisted.

public static bool AllowIP(this HttpRequestMessage request)
  var whiteListedIPs = ConfigurationManager.AppSettings["WhiteListedIPAddresses"];
  if (!string.IsNullOrEmpty(whiteListedIPs))
    var whiteListIPList = whiteListedIPs.Split(',').ToList();
    var ipAddressString = request.GetIP();
    var ipAddress = IPAddress.Parse(ipAddressString);
    var isInwhiteListIPList = 
                .Where(a => a.Trim()
                .Equals(ipAddressString, StringComparison.InvariantCultureIgnoreCase))
    return isInwhiteListIPList;
  return true;

The above method reads the whitelisted IPs from the config file and verifies whether the incoming IP is on the list.

You can also store a range of IP addresses or an IP address with CIDR in the web.config to allow/deny access to multiple IP addresses. Please refer to this to link for more operations related to IP addresses.

Now we have the whitelisted IPs in the web.config and built the extension methods to read the IP address from request and validate it against the whitelist. How can we put this into action?

Create the Handler

Delegating handlers are used in Web API to represent Message Handlers before routing. Typically, a series of message handlers are chained together. The first handler receives an HTTP request, does some processing, and gives the request to the next handler. However, at any point, a handler can decide to take action and process the request returning the response without passing to the next one.  Before we start creating the handler, please refer the following to know more about handler.

HTTP Message Handlers in ASP.NET Web API

Message Handler explained

public class IPFilterHandler : DelegatingHandler
  protected override async Task SendAsync(HttpRequestMessage request, 
CancellationToken cancellationToken)
    if (request.AllowIP())
      return await base.SendAsync(request, cancellationToken);
    return request
                , "Not authorized to view/access this resource");

In the SendAsync method, the handler checks whether the IP address of the request is whitelisted. If so, it calls base.SendAsync to pass the message to the next handler.  If not, it processes the request and returns an unauthorized error response with a custom message.

Register the Handler

To register a message handler on the server-side, add the handler to HttpConfiguration.MessageHandlers collection in WebApiConfig.

public static class WebApiConfig
  public static void Register(HttpConfiguration config)
      name: "DefaultApi",
      routeTemplate: "api/{controller}/{id}",
      defaults: new { id = RouteParameter.Optional });          
    config.MessageHandlers.Add(new IPFilterHandler());


This article tried to provide a summary of the very unique requirement of implementing security to Web API by IP Address.  We discussed the basic concepts, Handler and an implementation example with ASP.NET Web API. 

Recommended Courses

We may receive a commission for purchases made through these links.

Further Reading

You can refer to the following link if you want to learn more about Web API Security.

This Post Has 2 Comments

Leave a Reply