Azure API Management developer portal has no content-security-policy headers

Robert Zuberec 21 Reputation points
2020-07-28T20:07:29.673+00:00

When you create an Azure API Management instance it has a developer portal, where your API can be accessed publicly by others to see your API documentation. We would like to use it but when we open the developer portal from our instance https://apimInstanceName.developer.azure-api.net/ it will display a page correctly but our security scanner is complaining that this page has no CSP content-security-policy headers. The are missing in response.
How can we control the CSP headers for APIM developer portal?
Thanks
Robert

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,913 questions
Accepted answer
  1. MayankBargali-MSFT 69,946 Reputation points
    2020-07-31T03:51:17.957+00:00

    Hi anonymous userZuberec-8959

    The short term workaround is to self-host the portal: https://github.com/Azure/api-management-developer-portal/wiki/Self-hosting-the-portal
    As updated from the team I have created the issue in github to track it: https://github.com/Azure/api-management-developer-portal/issues/798

    Let me know if you have any concerns.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest