In Azure API Managment Policy I want to clean the Response Headers being sent by a backend system (to prevent data leakage). I don't want to hard-code each current header name that is being sent by the backend system as this won't account for new headers potentially added in future by new versions of the software and we'd also have to do this for all operations, testing each operation, capturing the headers then updating the policy.
Ideally I'd like to set a list of allowed headers (per API Operation) and delete the rest.
I've tried a number of approaches, but the set-header policy doesn't allow multiple names to be passed (I thought at one point it might take a comma separated list) and there doesn't seem to be a looping policy like for-each to enable running the set-header multiple times.
Is there something I'm missing to enable me to do this? Can this be done somehow through policy expressions etc?
Thanks, Jason
There is no good way to achieve that at the moment, but there is a hack:
<retry condition="@(context.Response.Headers.Keys.Any(k => !(new[] {"allowed-header-1", "allowed-header-2"}.Contains(k, StringComparer.InvariantCultureIgnoreCase))))" count="50" interval="0">
<set-variable name="headerName" value="@(context.Response.Headers.Keys.First(k => !(new[] {"allow-header-1", "allow-header-2"}.Contains(k, StringComparer.InvariantCultureIgnoreCase))))" />
<set-header name="@((string)context.Variables["headerName"])" exists-action="delete" />
</retry>
In short, retry policy will keep retrying as long as there is a non allowed header. And inside it you're getting first not allowed header into a variable and remove it via set-header policy.