Using policies in API Management to remove response headers from the backend Web API that leak information

A while ago I showed to a fellow MVP a couple of Web APIs that where secured with Azure API Management. He liked the solution but he also showed me that when you call the Web APIs through the Azure API Management gateway, information about the backend Web API was leaked in the Response Headers.
Especially the  Domain information in the Set-Cookie header is very dangerous because it shows the location of the backend Web API. With that information a hacker can bypass Azure API Management and directly call the backend Web API!

Response Headers that show information about a backend Web API:

  • Set-Cookie
  • X-Powered-By

Web API response Headers




As always there are several ways to solve this but if you don’t need these headers, the easiest way is just to remove them with policies in API Management.


In the Azure Portal navigate to your API Management instance and select in the menu Products. Then select the Product where you want to apply the policy on and click on Policies.
Azure API Management - Product Policies
Set the cursor in the outbound element of the XML. Then add from the menu the Set HTTP Header.
Modify the set-headers that it deletes the "Set-Cookie" and "X-Powered-By” header.
Azure API Management - Add Set HTTP header



Azure API Management is very powerful and you get a lot of functionality out of the box but leaking information in Response Headers can easily be overlooked while it is crucial to remove this information. Luckily it can also easily be adjusted!

Add comment

  Country flag

  • Comment
  • Preview

About the author

Tomasso Groenendijk lives in Netherlands and is a Solution Architect at Insight. He has over 20 years experience in software development and software design. Tomasso is specialized in application integration with a strong interest in the Windows Azure cloud platform. From 2014, Tomasso has been awarded six times with the Microsoft Azure MVP award. He is an active contributor to the integration community through his work on his blog, GitHub samples, TechNet Wiki and speaking on events. Furthermore he is an official board member of the Dutch Microsoft Integration User Group.

MVP profile Tomasso Groenendijk
Sentinet Product Specialist
BizTalk360 Product Specialist

Month List