Is Domain name or Host name whitelisting possible in APIM

Question

Is Domain name or Host name whitelisting possible in APIM

Smruti Ranjan Nayak 81 Microsoft Employee

Hi team,

I would like to enforce additional layers of security on the accessibility of apis in an APIM. Subscription keys are not good enough for this. I would like to know if its possible to whitelist a few host names or domains who could access the apis in APIM. Thanks.

Regards,

Smruti

0 comments

1 answer

Your answer

Answer 1

yes you can achieve this through the use of policies, which are collections of statements applied to the request or response of an API

https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-policies

for whitelisting you can use Referer header like the following

<choose>
    <when condition="@(context.Request.Headers.GetValueOrDefault('Referer', '').Contains('https://example.com'))">
        <return-response>
            <set-status code="200" reason="OK" />
        </return-response>
    </when>
    <otherwise>
        <return-response>
            <set-status code="403" reason="Forbidden" />
        </return-response>
    </otherwise>
</choose>

https://learn.microsoft.com/en-us/answers/questions/1328349/how-to-verify-the-user-host-in-api-management-poli

and do to forget for cross-domain calls from browser-based clients, use cors policy with allowed-origins to specify the origins URL

https://learn.microsoft.com/en-us/azure/api-management/cors-policy#elements

Smruti Ranjan Nayak 81 Reputation points Microsoft Employee

2024-01-18T08:34:45.6966667+00:00

Thanks for your response. I understand that domain name or host name whitelisting is possible through the use of policies. These statements (given in the XML snip) however are not working. Could you please provide me the correct statements. I really appreciate it. Thanks.

Share via

Is Domain name or Host name whitelisting possible in APIM

1 answer

Your answer