CORS Allowed Origin Not Working in Azure API Management

Question

CORS Allowed Origin Not Working in Azure API Management

J, Munna Lal 0

We are using Azure API Management service with an Azure Function app bound to our Azure subscription.

In our scenario, we need to allow only selected URLs through the CORS inbound policy.

Although we have configured the selected URLs to be allowed in the CORS inbound policy, our Azure Function is still accessible from other domains along with the allowed origins.

Our assumption is that except for the allowed origins, other domains should not be able to access the API Management service.

Could there be suggestions for whitelisting the URLs and properly setting up CORS?

Sina Salam 28,606 Reputation points Volunteer Moderator

2024-12-13T20:46:07.4433333+00:00
Hello J, Munna Lal,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

While understanding your issues, I will explain why requests might still be accessible from disallowed domains despite the CORS policy, and the need to test the CORS behavior with actual cross-origin requests, as direct requests (e.g., using Postman) will not trigger CORS checks. Also, the possibility of bypassing CORS restrictions using tools that do not enforce the browser's CORS policy.

Because the issue arises because API Management's CORS policies are only enforced for browser-originated requests. Non-browser clients can bypass these policies unless additional validation is implemented in the backend.

1.Ensure the CORS policy is applied with the following attributes:

terminate-unmatched-request="true": Blocks requests from origins not explicitly listed in allowed-origins.

allow-credentials="false": Only allow requests without credentials unless specifically needed.

Azure Functions have their own CORS settings in the Azure Portal (Platform features > CORS). Ensure these settings are not too permissive (e.g., avoid * as an allowed origin).

CORS is enforced by browsers, not by the API Management service or the Function App. Use a browser or tools like curl with the Origin header to test behavior. For example:

curl -H "Origin: https://disallowed-origin.com" -X GET https://api-management-endpoint

Also, check the Access-Control-Allow-Origin response header. It should be absent or match only allowed origins.

API Management's CORS policy only controls browser-based requests. To restrict all access to specific origins, implement a validation mechanism in the backend service (e.g., the Azure Function app) to check the Origin header and reject unauthorized domains explicitly. In Azure Functions, this is an example:

public static async Task<IActionResult> Run(HttpRequest req, ILogger log) { string origin = req.Headers["Origin"]; var allowedOrigins = new List<string> { "https://example1.com", "https://example2.com" }; if (!allowedOrigins.Contains(origin)) { return new UnauthorizedResult(); } // Proceed with normal processing }

Check other possible causes such as Overly Permissive Policies and Proxy or CDN Configurations.

You can esure no wildcard (*) is used in allowed-origins or allowed-headers and If a CDN or reverse proxy (e.g., Azure Front Door) is in use, check if it overrides or conflicts with the API Management settings respectively.

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.
Anonymous

2024-12-16T04:31:23.2733333+00:00

Hi @J, Munna Lal,

Just checking in to see if the above answer provided by @Sina Salam helped.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Thankyou.
Anonymous

2024-12-17T08:12:07.36+00:00

Hi @J, Munna Lal,

I wanted to follow up and see if you’ve had an opportunity to review my previous message and share the requested details. Having this information will help us assist you more efficiently.

Thankyou.

2 answers

Your answer

Anonymous

2024-12-16T04:31:23.2733333+00:00

Hi @J, Munna Lal,

Just checking in to see if the above answer provided by @Sina Salam helped.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Thankyou.
Anonymous

2024-12-17T08:12:07.36+00:00

Hi @J, Munna Lal,

I wanted to follow up and see if you’ve had an opportunity to review my previous message and share the requested details. Having this information will help us assist you more efficiently.

Thankyou.

Answer 1

Hi @J, Munna Lal,

We sincerely apologize for the delay in response and appreciate your patience.

It looks like you're facing an issue with the CORS inbound policy in API Management, where requests from other URLs are still being accepted despite your configuration to allow only specific domains. Here’s a straightforward approach to help you resolve this:

First, double-check your CORS settings in API Management. Make sure the policy is applied at the correct level—either at the API level or the operation level.

Ensure that your CORS policy is set up correctly. Here’s an example of how to configure it in Azure API Management: <inbound>

<cors>

    <allowed-origins>

        <origin>https://companyabcproducts.atlassian.net</origin>

    </allowed-origins>

    <allowed-methods>

        <method>GET</method>

        <method>POST</method>

        <method>OPTIONS</method>

    </allowed-methods>

    <allowed-headers>

        <header>*</header>

    </allowed-headers>

</cors>

</inbound>

Sometimes, browser caching can interfere with CORS behavior. Try clearing your browser cache or testing in an incognito window to ensure that the latest CORS settings are being applied.
Review any other policies that might be affecting request handling, such as authentication or IP filtering. Make sure there are no conflicting policies that could allow unwanted requests.
Use tools like Postman or your browser's developer tools to test CORS requests. Check the response headers to confirm that the Access-Control-Allow-Origin header is set correctly and only allows the specified origin.

For more detailed guidance on configuring CORS in Azure API Management, please refer to the official documentation here:

https://learn.microsoft.com/en-us/azure/api-management/api-management-policies

By following these steps, you should be able to effectively manage your CORS policy and ensure that only the specified domain can make requests. If you continue to experience issues, please let me know, and we can explore further options together.

Answer 2

J, Munna Lal 0

Hi Team,We have tested the application in browser after modified the CORS inbound policy to not accept the inbound connections except selected domain URLs.

ie , we have added https://companyabcproducts.atlassian.net/ in the CORS inbound policy and our expectation is, from above URL only the connections to be admitted and established.

But, other URL requests also being accepted through the API management.

Because of this our JIRA webhook modificaitons are getting reflected in the destination application.

Please share if any other options are available for enabling the CORS policy and to validate the same.

Anonymous

2025-01-27T02:24:11.43+00:00

Hi @J, Munna Lal,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Anonymous

2025-01-28T05:23:56.2266667+00:00

Hi @J, Munna Lal,

If you found the response helpful, please click Accept Answer and Yes for the provided answer. This will help other community members with similar issues find the solution more easily.

Share via

CORS Allowed Origin Not Working in Azure API Management

2 answers

Your answer