HMAC API exposed via public site?
What steps can I take to prevent unauthorised access to our API (if indeed any are required)?
Background
The diagram below illustrates a microsite we're implementing, and an HMAC API we're providing (for several purposes) which returns commercially sensitive data to authenticated consumers. The arrows represent intended (green) and unintended (red) communication.
The HMAC API is intended for address autocompletion. There is no login for the microsite. The page has an address input. To enable autocomplete the page makes an AJAX GET call to the controller after each keystroke. For each AJAX GET call, the controller constructs the HMAC and makes a request to the HMAC API.
The problem
I can't see anything currently preventing consumption of the AJAX GET method.
Considerations
I've read that AnitForgeryTokens aren't useful on GET methods, but that you can get around this by turning it into a POST. That sounds a bit ugly, but since this is only a microsite (i.e. we're throwing it away after a month or so) I'm quite prepared to put up with ugly security.
Seven years on from that, is that still the best way?
prevent unauthorised access to a method on an unauthenticated controller
If you don't have any authentication and authorization ("unauthenticated controller") then there can be no such thing as an unauthorized access: i.e. every access is allowed. And, what does not exist cannot be prevented.
If you could defined what unauthorized access means in your use case you might be able to add some authorization which prevents it.