API Management allows unencrypted communication with clients
March 21, 2025 ยท View on GitHub
SYNOPSIS
Unencrypted communication could allow disclosure of information to an untrusted party.
DESCRIPTION
When an client connects to API Management it can use HTTP or HTTPS. Each API can be configured to accept connection for HTTP and/ or HTTPS. When using HTTP, sensitive information may be exposed to an untrusted party.
RECOMMENDATION
Consider setting the each API to only accept HTTPS connections. In the portal, this is done by configuring the HTTPS URL scheme.
EXAMPLES
Configure with Azure template
To deploy apis that pass this rule:
- Set the
properties.protocolsproperty to includehttps. AND - Remove
httpfrom theproperties.protocolsproperty.
For example:
{
"type": "Microsoft.ApiManagement/service/apis",
"apiVersion": "2022-08-01",
"name": "[format('{0}/{1}', parameters('name'), 'echo-v1')]",
"properties": {
"displayName": "Echo API",
"description": "An echo API service.",
"type": "http",
"path": "echo",
"serviceUrl": "https://echo.contoso.com",
"protocols": [
"https"
],
"apiVersion": "v1",
"apiVersionSetId": "[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('name'), 'echo')]",
"subscriptionRequired": true
},
"dependsOn": [
"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]",
"[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('name'), 'echo')]"
]
}
Configure with Bicep
To deploy apis that pass this rule:
- Set the
properties.protocolsproperty to includehttps. AND - Remove
httpfrom theproperties.protocolsproperty.
For example:
resource api 'Microsoft.ApiManagement/service/apis@2022-08-01' = {
parent: service
name: 'echo-v1'
properties: {
displayName: 'Echo API'
description: 'An echo API service.'
type: 'http'
path: 'echo'
serviceUrl: 'https://echo.contoso.com'
protocols: [
'https'
]
apiVersion: 'v1'
apiVersionSetId: version.id
subscriptionRequired: true
}
}