Azure API Management | Unintentional Pass through of Subscription Key Header

Problem Space

There is a potential unintentional side effect when you add a APIM subscription key as a header to an inbound request. The header is not stripped from the request prior to being sent to the configured backend service. Rather it is retained.

If you manage the backing service and are not concerned with the disclosure of the subscription key, then no problem. However, being overly permissive of this information may make your API more vulnerable to security threats and disallows a separation of concerns.

The more concerning of the options is where you are using a backing service that is outside of your control, and the backing service being potentially vulnerable to security threats that you are not in a position to manage.

General Rule of Thumb : Prevent ANY overly permissive configurations that will make your APIs more vulnerable to security threats.

Solution

To strip the header out of the outbound request we can make use of APIM Policies, more specifically the set-header policy.

<policies>
    <inbound>
        <base />
        <set-header name="Ocp-Apim-Subscription-Key" exists-action="delete" />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

Make sure that the header name is set to the name you have used for your subscription key header, by default this is set to Ocp-Apim-Subscription-Key.

Lastly, this is not a policy that you have to provide per API Operation, but can be placed at the respective scope at which you have enabled APIM Subscriptions.

For the original version of this post see Andrew Wilson's personal blog at Azure API Management | Unintentional Pass through of Subscription Key Header