HiCarl Hansen,
Thanks for posting your question in the Microsoft Q&A forum.
The check-header
policy is intended to verify the presence of a specific header and its value. If the header is missing or the value doesn't match, it returns a specified HTTP status code, such as 401 Unauthorized
. However, if the requested operation or resource does not exist in APIM, a 404 Resource Not Found
response is returned regardless of the header's presence. This occurs because APIM first checks for the existence of the requested operation before applying any policies or authentication checks.
To prevent attackers from enumerating over your APIs and operations, you can consider the following approaches:
- Use a more restrictive IP allow list: Instead of relying solely on the
X-Azure-FDID
header, you can configure APIM to only accept requests from a specific set of IP addresses or ranges. - Use a more secure authentication mechanism: Instead of relying on a simple header check, you can implement a more robust authentication mechanism, such as OAuth 2.0 or API keys.
- Use a reverse proxy or API gateway: Instead of exposing APIM directly to the internet, you can place it behind a reverse proxy or API gateway, such as Azure Front Door or Azure Application Gateway.
- Implement rate limiting: You can configure rate limiting policies in APIM to limit the number of requests that can be made to your APIs within a specific time period
Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful