Andrew Wilson's Blog

{ ... Plan - Architect - Develop - Reflect - Improve - Repeat ... }

Azure API Management | Unintentional Pass through of Subscription Key Header

Problem Space There is a potential unintentional side effect when you add a APIM subscription key as a header to an inbound request. The header is not stripped from the request prior to being sent to the configured backend service. Rather it is retained. If you manage the backing service and are not concerned with the disclosure of the subscription key, then no problem. However, being overly permissive of this information may make your API more vulnerable to security threats and disallows a separation of concerns.

Posted by Andrew Wilson on Tuesday, November 21, 2023

Azure API Management | Product Required Subscription Behaviours

Background | Functional Workings of APIM Subscriptions Subscriptions are a nice and easy method of securing your APIs in APIM, however as I bumped into a small detail around their use the other day, I thought it wise to note it down. Azure API Management Subscriptions operate at three scope levels: All APIs Applies to any API that requires a Subscription. As this will allow access to ANY api, use this with caution.

Posted by Andrew Wilson on Tuesday, December 20, 2022

Azure API Management | Subscription Contract Names

Problem Space Subscriptions are a nice and easy method of securing your APIs in APIM, however as I bumped into a small detail around their use the other day, I thought it wise to note it down. When a Subscription Key is required on an API, as an invoker I will need to provide either a Header or a Parameter to my request which will contain the Subscription Key. By default:

Posted by Andrew Wilson on Tuesday, December 20, 2022

Azure API Management | API Mocking

Problem Space: I have been recently looking into setting up some APIs within API Management. I do not currently have any backing services to hook the API’s to and I would like to decouple development of the front end systems from the backend. Thankfully Azure API Management has provided the ability to create mocks for your API’s. In this post I will be walking through API mocking and how to achieve this within Bicep Templates for deployment.

Posted by Andrew Wilson on Sunday, September 18, 2022

Azure API Management | Purge Soft-Deleted Instance

Problem Space: Around June 2020 a change was made to Azure API Management whereby any deletion of the instance via the Azure portal, Azure PowerShell, Azure CLI, and REST API version 2020-06-01-preview or later will result in the instance being soft-deleted. This is to allow for recoverability of a recently deleted API Management instance, and therefore protecting against accidental deletion of the instance. The problem with this is that not all the Azure Resource Management tooling currently supports the management of soft deleted API Management Instances.

Posted by Andrew Wilson on Wednesday, September 7, 2022

avatar

Andrew Wilson
Husband - Father - Principal Consultant at Black Marble.

Has a passion for creating software [especially solution integrations] that help others execute their jobs faster and more efficiently.

QUICK LINKS
FEATURED TAGS
api management apim apim-policy arm az cli azure azure devops azure portal bicep biztalk biztalk deployment framework btdf dsc fluent ui function-app git iac keyvault logic app logic app standard nerd fonts office-ui-fabric ohmyposh powershell rbac react rest client roles security speaking sso storage account strong name key swagger typescript vs code webpack windows terminal winget winget configuration yaml pipeline