Security in Web API

All controllers provided by the Customer's Canvas Web API work through HTTPS only. Any POST, PUT, or DELETE request must include the X-CustomersCanvasAPIKey: "ApiSecurityKey" field in its header. "ApiSecurityKey" is an arbitrary string, but it must be a unique value, which you define in the Web.config file.

        <add key="ApiSecurityKey" value="ApiSecurityKey" />

Note, all snippets in this section define this security key in JavaScript code. It could be highly insecure if they are run on a public site. However, you can use them this way in your admin panel, or just for demonstration purposes.

For real applications, there should be a back-end code that, like a proxy, sends requests to the controllers. So, your code decides whether a user has enough rights to manipulate templates/fonts/images or not, and if the user has enough rights, the code sends the request to the corresponding controller.

In This Section

Web API for Manipulating Design and Mockup Files
Web API for Manipulating User Images
Web API for Manipulating Custom Fonts