Skip to content

API Management allows unencrypted communication with clients#

Security · API Management · Rule · 2020_06 · Important

Unencrypted communication could allow disclosure of information to an untrusted party.

Description#

When an client connects to API Management it can use HTTP or HTTPS. Each API can be configured to accept connection for HTTP and/ or HTTPS. When using HTTP, sensitive information may be exposed to an untrusted party.

Recommendation#

Consider setting the each API to only accept HTTPS connections. In the portal, this is done by configuring the HTTPS URL scheme.

Examples#

Configure with Azure template#

To deploy apis that pass this rule:

  • Set the properties.protocols property to include https. AND
  • Remove http from the properties.protocols property.

For example:

Azure Template snippet
{
  "type": "Microsoft.ApiManagement/service/apis",
  "apiVersion": "2022-08-01",
  "name": "[format('{0}/{1}', parameters('name'), 'echo-v1')]",
  "properties": {
    "displayName": "Echo API",
    "description": "An echo API service.",
    "type": "http",
    "path": "echo",
    "serviceUrl": "https://echo.contoso.com",
    "protocols": [
      "https"
    ],
    "apiVersion": "v1",
    "apiVersionSetId": "[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('name'), 'echo')]",
    "subscriptionRequired": true
  },
  "dependsOn": [
    "[resourceId('Microsoft.ApiManagement/service', parameters('name'))]",
    "[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('name'), 'echo')]"
  ]
}

Configure with Bicep#

To deploy apis that pass this rule:

  • Set the properties.protocols property to include https. AND
  • Remove http from the properties.protocols property.

For example:

Azure Bicep snippet
resource api 'Microsoft.ApiManagement/service/apis@2022-08-01' = {
  parent: service
  name: 'echo-v1'
  properties: {
    displayName: 'Echo API'
    description: 'An echo API service.'
    type: 'http'
    path: 'echo'
    serviceUrl: 'https://echo.contoso.com'
    protocols: [
      'https'
    ]
    apiVersion: 'v1'
    apiVersionSetId: version.id
    subscriptionRequired: true
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/api-management/service:<version>

To use the latest version:

br/public:avm/res/api-management/service:0.6.0

Comments