We use APIM and the (new) developer portal.
During a recent pen test it was noted that there are some security headers missing and under certain circumstances we were able to get the service to leak some headers revealing the underlying server/framework.
Obviously these are low risk, but we have been asked to look into resolving them but have come up blank.
I want to ensure we have : HSTS, CSP, x-content-type x-frame-options headers.
I also want to ensure that it is not possible for the server and x-powered-by headers to be served up (Which currently you can do by sending an HTTP 1.1 HEAD request with a spoofed host header to the non ssl URL for the dev portal).
Is there any way to do this?