Share via

How to monitor domains for api management cors policy implementation

Jesse Lopez 0 Reputation points
2025-04-15T23:58:23.3366667+00:00

I would like to track which domains my current api management resource is allowing so i can better secure my api management cors policy. Currently I have this setup; however when I look it up in application insights I get an Origin: None on all entries. How can I trace the exact domains that my api managements resource is currently allowing?

User's image

<policies>
    <inbound>
        <!-- Capture and trace Origin header -->
        <set-variable name="originHeader" value="@(context.Request.Headers.GetValueOrDefault("Origin", "none"))" />
        <set-header name="x-origin" exists-action="override">
            <value>@((string)context.Variables["originHeader"])</value>
        </set-header>
        <trace source="OriginTracker">@("Origin: " + (string)context.Variables["originHeader"])</trace>
        <!-- CORS Configuration -->
        <cors allow-credentials="true">
            <allowed-origins>
                <origin>https://apimv.developer.azure-api.net</origin>
            </allowed-origins>
            <allowed-methods preflight-result-max-age="300">
                <method>*</method>
            </allowed-methods>
            <allowed-headers>
                <header>*</header>
            </allowed-headers>
            <expose-headers>
                <header>*</header>
            </expose-headers>
        </cors>
        <!-- HTTPS Redirection -->
        <choose>
            <when condition="@(context.Request.OriginalUrl.Scheme.Equals("http"))">
                <return-response>
                    <set-status code="302" reason="Requires SSL" />
                    <set-header name="Location" exists-action="override">
                        <value>@("https://" + context.Request.OriginalUrl.Host + context.Request.OriginalUrl.Path)</value>
                    </set-header>
                </return-response>
            </when>
        </choose>
    </inbound>
    <backend>
        <forward-request />
    </backend>
    <outbound />
    <on-error />
</policies>
Not Monitored
Not Monitored
Tag not monitored by Microsoft.
43,321 questions
0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.