CORS Allowed Origin Not Working in Azure API Management

J, Munna Lal 0 Reputation points
2024-12-13T14:04:48.5833333+00:00

We are using Azure API Management service with an Azure Function app bound to our Azure subscription.

In our scenario, we need to allow only selected URLs through the CORS inbound policy.

Although we have configured the selected URLs to be allowed in the CORS inbound policy, our Azure Function is still accessible from other domains along with the allowed origins.

Our assumption is that except for the allowed origins, other domains should not be able to access the API Management service.

Could there be suggestions for whitelisting the URLs and properly setting up CORS?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,239 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,254 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sina Salam 14,551 Reputation points
    2024-12-13T20:46:07.4433333+00:00

    Hello J, Munna Lal,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    While understanding your issues, I will explain why requests might still be accessible from disallowed domains despite the CORS policy, and the need to test the CORS behavior with actual cross-origin requests, as direct requests (e.g., using Postman) will not trigger CORS checks. Also, the possibility of bypassing CORS restrictions using tools that do not enforce the browser's CORS policy.

    Because the issue arises because API Management's CORS policies are only enforced for browser-originated requests. Non-browser clients can bypass these policies unless additional validation is implemented in the backend.

    1.Ensure the CORS policy is applied with the following attributes:

    • terminate-unmatched-request="true": Blocks requests from origins not explicitly listed in allowed-origins.
    • allow-credentials="false": Only allow requests without credentials unless specifically needed.
    1. Azure Functions have their own CORS settings in the Azure Portal (Platform features > CORS). Ensure these settings are not too permissive (e.g., avoid * as an allowed origin).
    2. CORS is enforced by browsers, not by the API Management service or the Function App. Use a browser or tools like curl with the Origin header to test behavior. For example:

    curl -H "Origin: https://disallowed-origin.com" -X GET https://api-management-endpoint

    Also, check the Access-Control-Allow-Origin response header. It should be absent or match only allowed origins.

    1. API Management's CORS policy only controls browser-based requests. To restrict all access to specific origins, implement a validation mechanism in the backend service (e.g., the Azure Function app) to check the Origin header and reject unauthorized domains explicitly. In Azure Functions, this is an example:
         public static async Task<IActionResult> Run(HttpRequest req, ILogger log)
         {
             string origin = req.Headers["Origin"];
             var allowedOrigins = new List<string> { "https://example1.com", "https://example2.com" };
             
             if (!allowedOrigins.Contains(origin))
             {
                 return new UnauthorizedResult();
             }
             // Proceed with normal processing
         }
    
    1. Check other possible causes such as Overly Permissive Policies and Proxy or CDN Configurations.

    You can esure no wildcard (*) is used in allowed-origins or allowed-headers and If a CDN or reverse proxy (e.g., Azure Front Door) is in use, check if it overrides or conflicts with the API Management settings respectively.

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.


    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.