How to prevent Azure API Management from passing the subscription-key query parameter to Logic App?

Question

I am using Azure API Management as front end for my Logic App. The "subscription required" setting needs to be enabled as we do need the protection. However, we must send the key via query parameter because our calling application only supports GET, not POST.

So my API call was sent to Azure using the format of https://my.azure-api.net/myapi/manual/paths/invoke?subscription-key=mykey

Now in Azure API setting I did create a policy set to delete action on the "subscription-key" query parameter, but here's the problem:

Even though the parameter is removed from the request body into Logic App, upon digging into the "RAW" outputs in Logic App where it shows various headers, we can see the subscription-key in these two headers:

 "X-WAWS-Unencoded-URL": "/myapi/manual/paths/invoke?subscription-key=xxx
 "X-Original-URL": /myapi/manual/paths/invoke?subscription-key=xxx

In other words, the full original query URL was made available to Logic App before the parameter was removed. This exposes the API subscription key to the Logic App.

Is there any workaround for this?

Answer 1

Ah I see now that those headers were actually sent automatically by Azure API Management to the backend Logic App API, so all I had to do was to set header policies to remove them in addition to the query parameter policy.

<set-query-parameter name="subscription-key" exists-action="delete" /> <set-header name="X-WAWS-Unencoded-URL" exists-action="delete" /> <set-header name="X-Original-URL" exists-action="delete" />

This takes care of it.