Make your Azure API Management more securer
Using Azure API Management as a gateway provides a portal to help manage and control our APIs for public exposure. Since it is open to the public, we need to implement diverse authentication and authorization methods to protect our endpoints.
However, as an API, it is still vulnerable to attacks. To enhance security, we can add additional HTTP headers (e.g., X-Frame-Options) to prevent certain types of attacks.
Below are the steps to customize the response behind the Azure API Management service.
1) Navigate to the API page and switch to the "All APIs" level.
2) Since we are modifying the response, go to "Outbound processing" and add a policy.
You can add the policy at each individual API level. However, in this example, we will apply the same policy to all APIs..
Add the following policies, one for <outbound> and one for <on-error>:
For a normal response, add a rule to set
X-Frame-OptionstoDENY. For bad requests, add a rule to setX-Frame-OptionstoSAMEORIGIN.
Then, perform quick testing to ensure the settings are effective.
- HTTP-401 (Unauthorized) Response: Should include
X-Frame-Options: SAMEORIGIN. - HTTP-200 (OK) Response: Should include
X-Frame-Options: DENY.
That’s all for the article!
