Protect APIs With Security Headers Using Azure API Management Policies

Azure API Management policies have powerful capabilities that allow the publisher to change the behavior of the API through configuration. The API gateway; i.e. API Management, receives all requests and usually forwards them unaltered to the underlying API. However, a policy can apply changes to both the inbound request and outbound response and it may include limiting call rate, security headers, changing JSON to XML, etc.
 
As we know, Http security headers help to protect against some of the attacks which can be executed against WebAPI. It is always best practice to implement those headers either through the application or through API Gateway.
 
This article demonstrates how to implement HTTP security headers as outbound policies in Azure API Management.
 
I created an Azure API Management services instance and imported and published my API. In case you are not aware of how to import and publish apis into API Management, I would recommend you to check Microsoft documentation.
 
Before adding outbound policies into Azure API Management, let’s see what response headers are coming while calling my API using Postman.
 
 
As we can see, none of the security headers are there as part of the response. Also, it is not recommended to leak the info about a  technology stack that is running on the backend e.g. X-Powered-By information in response. We can remove it easily by outbound policies.
 

Implementing Security Headers As Outbound Policies in API Management

 
Now I am adding outbound processing policies to my API (in my case api name is “CoursesAPI”) onto API management.
  1. Select your API in API management.
  2. On the top of the screen, select Design tab.
  3. Select All operations.
  4. In the Outbound processing section, click the </> icon.
 
Modify <outbound> tag as like below and Save.
  1. <outbound>    
  2.         <set-header name="Strict-Transport-Security" exists-action="override">    
  3.             <value>max-age=31536000</value>    
  4.         </set-header>    
  5.         <set-header name="X-XSS-Protection" exists-action="override">    
  6.             <value>1; mode=block</value>    
  7.         </set-header>    
  8.         <set-header name="Content-Security-Policy" exists-action="override">    
  9.             <value>script-src 'self'</value>    
  10.         </set-header>    
  11.         <set-header name="X-Frame-Options" exists-action="override">    
  12.             <value>deny</value>    
  13.         </set-header>    
  14.         <set-header name="X-Content-Type-Options" exists-action="override">    
  15.             <value>nosniff</value>    
  16.         </set-header>    
  17.         <set-header name="Expect-Ct" exists-action="override">    
  18.             <value>max-age=604800,enforce</value>    
  19.         </set-header>    
  20.         <set-header name="Cache-Control" exists-action="override">    
  21.             <value>none</value>    
  22.         </set-header>    
  23.         <set-header name="X-Powered-By" exists-action="delete" />    
  24.         <set-header name="X-AspNet-Version" exists-action="delete" />    
  25.     </outbound>     

Validating API Response Headers

 
Let’s hit the API again from Postman and check the response headers.
 
 
Excellent! Now we can see that security headers are part of the API response.
 
In this article, we have implemented WebAPI security headers through Azure API management outbound policies. I hope you find this article useful!