Add HSTS to an Azure API Management Service

Enrico Rossini 176 Reputation points
2022-05-11T13:21:18.38+00:00

On Azure, I created a new API Management Service and behind it I connected all the APIs.

After a penetration test, there was only one vulnerability detected from the security company that is No HSTS Header observed.

The HTTP Strict Transport Security (HSTS) policy defines a time-frame where a browser must connect to the web server via HTTPS. Without a Strict Transport Security policy the web application may be connect to the application using unencrypted HTTP. The application does not specify any HSTS configuration.

Potential Impact

If the web application mixes usage of HTTP and HTTPS, an attacker can manipulate pages in the unsecured area of the application or change redirection targets in a manner that the switch to the secured page is not performed or done in a manner, that the attacker remains between client and server.

If there is no HTTP server, an attacker in the same network could simulate a HTTP server and motivate the user to click on a prepared URL by a social engineering attack.

So, my question is: how can I apply this policy across my APIs?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,748 questions
0 comments
Accepted answer
  1. JananiRamesh-MSFT 21,001 Reputation points
    2022-05-23T03:48:41.607+00:00

    @Enrico Rossini Thanks for reaching out. Currently APIM doesn't support HSTS header.

    You can configure each API to listen on http, https or both but this does not support redirection, if you configure an API to only listen on https and sends http request you will get 404 from APIM.

    However, please find the below way to enforce Https as below—

    1) You can add an input policy which can redirect all HTTP calls to HTTPS. This is the most recommended approach.

     <inbound>  
         <choose>  
             <when condition="@(context.Request.OriginalUrl.Scheme.Equals("http"))">  
                 <return-response>  
                     <set-status code="302" reason="Requires SSL" />  
                     <set-header exists-action="override" name="Location">  
                         <value>@("https://" + context.Request.OriginalUrl.Host + context.Request.OriginalUrl.Path)</value>  
                     </set-header>  
                 </return-response>  
             </when>  
         </choose>  
 </inbound>

    Note: even with the above steps, when a security scan runs, you will still see the message “HSTS header is missing”.

    You can also leave your feedback on our APIM feedback page for feature request - aka.ms/apimwish.

    To benefit the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer’ & ‘Up-Vote’.

    2 people found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest