Exercise - Mask URLs with a transformation policy
If you host an API that includes its original URL in responses, clients may be able to bypass your API Management policies by connecting directly to the API. You can prevent that by masking the original URL in API responses.
The Census API example includes its URL in this way. You want to make sure that all requests go through API Management.
In this unit, you learn how to mask some of the data returned in the body of the Census API. You use a transformation policy to rewrite the URL data exposed in the body of the response.
Mask URLs
The following exercise demonstrates how to apply the Mask URL transformation policy within API Management.
Sign into the Azure portal using the same account you used in the previous exercise.
On the Azure portal menu or from the Home page, select All Resources, and then select your API Management instance.
In the left menu pane, Under APIs, select APIs, and in the middle pane, select Census Data.
In the top menu bar, select the Design tab, and then select All operations.
In the Outbound processing section, select the </> icon. The XML policy editor appears.
Inside the
<outbound>element, below the<set-header-name>element you added previously, add the following element:<redirect-content-urls />Select Save.
Test the new policy
We can use the Test tool in the Azure portal to check that the policy behaves as we want:
Select Census Data again, and in the top menu bar, select the Test tab.
Select GetLatestCensus, and then select Send.
You should now see how the Mask URL transformation policy has altered the links within the response body to the API Management endpoints. You should see the name of your API Management instance in the URL.
