Using policies in API Management to remove response headers from the backend Web API that leak information

A while ago I showed to a fellow MVP a couple of Web APIs that where secured with Azure API Management. He liked the solution but he also showed me that when you call the Web APIs through the Azure API Management gateway, information about the backend Web API was leaked in the Response Headers.
Especially the  Domain information in the Set-Cookie header is very dangerous because it shows the location of the backend Web API. With that information a hacker can bypass Azure API Management and directly call the backend Web API!

Response Headers that show information about a backend Web API:

  • Set-Cookie
  • X-Powered-By

Web API response Headers

    

       

Solution

As always there are several ways to solve this but if you don’t need these headers, the easiest way is just to remove them with policies in API Management.

Steps

In the Azure Portal navigate to your API Management instance and select in the menu Products. Then select the Product where you want to apply the policy on and click on Policies.
Azure API Management - Product Policies

Set the cursor in the outbound element of the XML. Then add from the menu the Set HTTP Header.
Modify the set-headers that it deletes the "Set-Cookie" and "X-Powered-By” header.
Azure API Management - Add Set HTTP header

       

Conclusion

Azure API Management is very powerful and you get a lot of functionality out of the box but leaking information in Response Headers can easily be overlooked while it is crucial to remove this information. Luckily it can also easily be adjusted!

About the author

Tomasso Groenendijk lives in Netherlands and is a Solution Architect at Insight. He has over 17 years’ experience in software development and software design. Tomasso is specialized in application integration with a strong interest in the Windows Azure cloud platform. From 2014, Tomasso has been awarded four times with the Microsoft Azure MVP award. He is an active contributor to the integration community through his work on his blog, MSDN samples, TechNet Wiki and also speaking on events.

 
 
 
MVP profile Tomasso Groenendijk
 
 
Sentinet Product Specialist
 
 
BizTalk360 Product Specialist

Month List