question

DavidBarrett-5423 avatar image
0 Votes"
DavidBarrett-5423 asked DavidBarrett-5423 commented

Azure Apim Developer Portal Amend Http Headers?

We use APIM and the (new) developer portal.

During a recent pen test it was noted that there are some security headers missing and under certain circumstances we were able to get the service to leak some headers revealing the underlying server/framework.

Obviously these are low risk, but we have been asked to look into resolving them but have come up blank.

I want to ensure we have : HSTS, CSP, x-content-type x-frame-options headers.

I also want to ensure that it is not possible for the server and x-powered-by headers to be served up (Which currently you can do by sending an HTTP 1.1 HEAD request with a spoofed host header to the non ssl URL for the dev portal).

Is there any way to do this?

azure-api-management
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@DavidBarrett-5423 Thanks for reaching out. I believe all the test results are pointed to the developer portal. Please confirm if my understanding is correct. I don't see any way to control the HSTS and CSP right now. For CSP the feature request is already raised here. The best place to get the feature request would be in the APIM developer portal forum.

Please confirm if the security headers missing are only for the developer portal and if you can share the scans I can check with my team for the confirmation if there is any way to fix them. Please respond only to my private comment to share the scan details.

0 Votes 0 ·

1 Answer

MayankBargali-MSFT avatar image
0 Votes"
MayankBargali-MSFT answered DavidBarrett-5423 commented

@DavidBarrett-5423 Apology for the delay in response. I have got the confirmation from my team that unfortunately as of now there is no way to control HSTS, CSP, x-content-type x-frame-options headers in the APIM developer portal.

For CSP the feature request is already raised here and as per the update from the team to control CSP the feature would be released in May/June this year.
For other headers HSTS, x-content-type and x-frame-options I have created the feature request here.

You can always provide your feedback and create feature requests in the APIM developer portal forum.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for getting back to me - Ill keep an eye on the feature request :)

Thanks

0 Votes 0 ·