Azure Eventhubs Header X-Frame-Options

Hello,

I have the following problem in this architecture:

Integration: I have connected as output of a Stream Analytics to an Eventhub, this Eventhub is inside a virtual network and is used to send data to an Azure Function that then takes them and sends them to another component.

The problem is that in a hacking test they have told me that when sending events to the Eventhub it does not respond with some headers among those the X-Frame-Options.

I was looking at the Microsoft documentation for Eventhub and I can’t find anything where I can configure Headers.

Is what they ask me possible? Why doesn’t Eventhub allow me to configure the headers directly? Is there any documentation that explains the issue?

Greetings

PRADEEPCHEEKATLA-MSFT 78,576 Reputation points Microsoft Employee

2023-07-27T06:56:50.8366667+00:00

@Jesus Orlando Aguilar Contreras - Thanks for the question and using MS Q&A platform.

Azure Event Hubs does not support configuring custom headers like X-Frame-Options. The reason for this is that Event Hubs is designed to be a high-throughput, low-latency event streaming service, and adding custom headers can add additional overhead that can impact performance.

However, you can set custom headers on the events that are delivered to Azure Event Hubs. When creating an event subscription in the Azure portal, you can use the Delivery Properties tab to set custom HTTP headers.

To set headers with a fixed value, provide the name of the header and its value in the corresponding fields. You can also set the value of a header based on a property in an incoming event. Use JsonPath syntax to refer to an incoming event's property value to be used as the value for a header in outgoing requests.

For more information, please refer to the Azure Event Grid - Set custom headers on delivered events documentation.

Hope this helps. Do let us know if you any further queries.
Jesus Orlando Aguilar Contreras 75 Reputation points

2023-07-27T16:57:47.1366667+00:00

In that case, there is no security risk that eventhub does not use headers?

What I understand is that although he uses the HTTP protocol, it is not the main protocol of the component.

Do you know of any documentation where I can read this? Thank you very much!
PRADEEPCHEEKATLA-MSFT 78,576 Reputation points Microsoft Employee

2023-07-28T04:00:16.9+00:00

@Jesus Orlando Aguilar Contreras -

That's correct. Event Hubs uses the AMQP (Advanced Message Queuing Protocol) and HTTPS protocols for communication, but it is not a web server and does not serve web pages. Therefore, the X-Frame-Options header is not relevant to Event Hubs and there is no security risk associated with it not being present.

You can find more information about the security features of Event Hubs in the Azure Event Hubs security documentation: Azure security baseline for Event Hubs.

Azure Event Hubs is a fully managed, real-time data ingestion service that is designed to receive and process millions of events per second. It is not possible to configure headers directly in Event Hubs as it is a managed service and the headers are set by the service itself.

The X-Frame-Options header is a security feature that helps to prevent clickjacking attacks by ensuring that a web page can only be displayed in a frame on the same origin as the page itself. This header is not relevant to Event Hubs as it is not a web page and does not use frames.

If you are concerned about the security of your Event Hubs, you can use Azure Active Directory (Azure AD) authentication and role-based access control (RBAC) to control access to your Event Hubs. This will help to ensure that only authorized users and applications can access your Event Hubs.

You can also use Azure Security Center to monitor and protect your Event Hubs against threats. Azure Security Center provides threat protection for your Azure resources by using advanced analytics and machine learning to detect and respond to threats.

I hope this helps! Let me know if you have any further questions.
PRADEEPCHEEKATLA-MSFT 78,576 Reputation points Microsoft Employee

2023-07-31T07:35:33.3866667+00:00

@Jesus Orlando Aguilar Contreras - We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Jesus Orlando Aguilar Contreras 75 Reputation points

2023-07-31T13:52:34.36+00:00

Hello,

Today I have a session with the Microsoft support team managed by the company where I work, as soon as I have an answer from them, I will share the conclusions so that other people can have a clear idea of the issue.

Thank you!
PRADEEPCHEEKATLA-MSFT 78,576 Reputation points Microsoft Employee

2023-08-03T06:11:25.7933333+00:00

@Jesus Orlando Aguilar Contreras - Following up to see if your issue was resolved. If so, could you please share the resolution details here, so that it will be helpful for other members of the community who are having similar issue.

1 answer

Jesus Orlando Aguilar Contreras 75 Reputation points

2023-08-03T14:26:12.7866667+00:00
Hello,

This is what has been answered in a session: "

The recommendation for "Event Grid" is to use a "private endpoint" on the connection that is configured on the Azure Front Door in order that additional security configurations, protocols and software information that were found as a result of the "Tehical Hacking" type tests can be performed.

Take as reference the architecture we reviewed and shared in the session, here the reference: Mission-critical baseline architecture with network controls - Azure Architecture Center | Microsoft Learn

In case of "Event Hub" the scenario is different since they are running the tests internally and they would have to use an "Azure Application Gateway" for all the traffic that is going to the API.

On the other hand, TLS testing with versions lower than 1.2 are only call/acknowledge, but they are required to test in those versions not only the call, launch an event and monitor response. If the call or test is performed with version lower than 1.2 it should not affect the expected behavior of the service. In the case of requiring "Event Hub" to have a different behavior when making a call through a version lower than TLS 1.2, it will be necessary to raise a support ticket to validate if it is possible to change the behavior of the service."

For the Eventhub and Eventgrid cases related to Header testing and TLS 1.2 protocol, this is what Microsoft told us in an internal session.

I hope this helps to solve other people's doubts.
Please sign in to rate this answer.

1 person found this answer helpful.
PRADEEPCHEEKATLA-MSFT 78,576 Reputation points Microsoft Employee

2023-08-07T07:14:57.87+00:00

@Jesus Orlando Aguilar Contreras - Thanks for sharing the solution, which might be beneficial to other community members reading this thread.
Sign in to comment