Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Discuss the security aspects more #1916

Closed
lanatmwan opened this Issue · 6 comments

7 participants

@lanatmwan

In particular I would like to see some mention of how different sections of the api can be secured separately. I can imagine how that is accomplished on the azure api front end but what prevents someone from getting access to the full api surface at the original url if they happen to know it?

@mollybostic
Collaborator

@lanatmwan, thanks for the suggestion! Is this related to API Management? Is there a specific article you've read where you think it would make sense for us to incorporate this information?

@lanatmwan
@deneha deneha closed this
@deneha deneha reopened this
@squillace
Collaborator

@deneha Dene, can we find the api management owner and have them review this to see if it's still outstanding?

@deneha
Collaborator

@davidwrede Can you review this issue and let us know if it is still outstanding?

@davidwrede davidwrede was assigned by deneha
@jimbe jimbe added the Modern Apps label
@steved0x
Collaborator

Hi,

Sorry for the long delay in responding. Thank you for the feedback. The backend service can be protected using basic authentication or mutual certificate authentication. Either of these methods will prevent a developer from calling directly into the backend API if they were to stumble upon the direct URLs for the backend service. From the API Management side, for each API (that corresponds to a backend service), you can configure the security settings on the Security tab. This process is described in the Configure API settings section in the How to create APIs article here: http://azure.microsoft.com/en-us/documentation/articles/api-management-howto-create-apis/

I will add a little section to the getting started to link to this. I am not sure how different sections of the API could be secured differently - you could have different APIs in a Product, each configured to talk to the backend using a different security protocol. In the Premuim tier, you can also use a VPN to connect securely to a backend service that is not publicly accessible on the internet: http://azure.microsoft.com/en-us/documentation/articles/api-management-howto-setup-vpn/

Thanks,

Steve

@deneha
Collaborator

@lanatmwan Thanks for raising this issue. It looks like we've answered the question and we have not heard from you. We are closing this issue. If you still have any problems, please comment so we can reopen this issue.

@deneha deneha closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.