Make your Azure API Management more securer

Add more controlling HTTP header tag

Create by @bing

Using Azure API Management as a gateway provides a portal to help manage and control our APIs for public exposure. Since it is open to the public, we need to implement diverse authentication and authorization methods to protect our endpoints.

However, as an API, it is still vulnerable to attacks. To enhance security, we can add additional HTTP headers (e.g., X-Frame-Options) to prevent certain types of attacks.

Below are the steps to customize the response behind the Azure API Management service.

1) Navigate to the API page and switch to the "All APIs" level.
2) Since we are modifying the response, go to "Outbound processing" and add a policy.

Setup API Management Policy

You can add the policy at each individual API level. However, in this example, we will apply the same policy to all APIs..

Add the following policies, one for <outbound> and one for <on-error>:

Edit Policies

For a normal response, add a rule to set X-Frame-Options to DENY. For bad requests, add a rule to set X-Frame-Options to SAMEORIGIN.

Then, perform quick testing to ensure the settings are effective.

• HTTP-401 (Unauthorized) Response: Should include X-Frame-Options: SAMEORIGIN.
• HTTP-200 (OK) Response: Should include X-Frame-Options: DENY.

HTTP-401

HTTP-200

That’s all for the article!

Reference

• https://phvbaars.wordpress.com/2022/05/10/security-headers-in-api-management/
• Azure API Management policy reference — set-header | Microsoft Learn
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options