question

erossini avatar image
0 Votes"
erossini asked JananiRamesh-MSFT answered

Add HSTS to an Azure API Management Service

On Azure, I created a new API Management Service and behind it I connected all the APIs.

After a penetration test, there was only one vulnerability detected from the security company that is No HSTS Header observed.

The HTTP Strict Transport Security (HSTS) policy defines a time-frame where a browser must connect to the web server via HTTPS. Without a Strict Transport Security policy the web application may be connect to the application using unencrypted HTTP. The application does not specify any HSTS configuration.

Potential Impact

If the web application mixes usage of HTTP and HTTPS, an attacker can manipulate pages in the unsecured area of the application or change redirection targets in a manner that the switch to the secured page is not performed or done in a manner, that the attacker remains between client and server.

If there is no HTTP server, an attacker in the same network could simulate a HTTP server and motivate the user to click on a prepared URL by a social engineering attack.

So, my question is: how can I apply this policy across my APIs?

azure-api-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JananiRamesh-MSFT avatar image
1 Vote"
JananiRamesh-MSFT answered

@erossini Thanks for reaching out. Currently APIM doesn't support HSTS header.

You can configure each API to listen on http, https or both but this does not support redirection, if you configure an API to only listen on https and sends http request you will get 404 from APIM.

However, please find the below way to enforce Https as below—

1) You can add an input policy which can redirect all HTTP calls to HTTPS. This is the most recommended approach.

  <inbound>
          <choose>
              <when condition="@(context.Request.OriginalUrl.Scheme.Equals("http"))">
                  <return-response>
                      <set-status code="302" reason="Requires SSL" />
                      <set-header exists-action="override" name="Location">
                          <value>@("https://" + context.Request.OriginalUrl.Host + context.Request.OriginalUrl.Path)</value>
                      </set-header>
                  </return-response>
              </when>
          </choose>
  </inbound>

Note: even with the above steps, when a security scan runs, you will still see the message “HSTS header is missing”.

You can also leave your feedback on our APIM feedback page for feature request - aka.ms/apimwish.

To benefit the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer’ & ‘Up-Vote’.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.