CODEWITHSUNDEEP
azure-api-management
Tommy Wang
Tommy Wang

Reputation: 109

APIM - response data masking

we need to expose an internal API to vendor, however for development we need to mask the data the internal API replies, looking for a similar feature with apigee (https://docs.apigee.com/api-platform/security/data-masking), can this doable via APIM?

Upvotes: 1

Views: 1346

Answers (3)

Mutation Person
Mutation Person

Reputation: 30498

Looking through the GitHub samples, I found this which appears to apply filtering to the response via the <outbound> policy

https://github.com/Azure/api-management-policy-snippets/blob/master/examples/Filter%20response%20content%20based%20on%20product%20name.policy.xml

This was it at the time of writing:

<outbound>
  <base />
  <choose>
    <when condition="@(context.Response.StatusCode == 200 && context.Product.Name.Equals("Starter"))">
      <!-- NOTE that we are not using preserveContent=true when deserializing response body stream into a JSON object since we don't intend to access it again. See details on https://docs.microsoft.com/en-us/azure/api-management/api-management-transformation-policies#SetBody -->
      <set-body>
        @{
          var response = context.Response.Body.As<JObject>();
          foreach (var key in new [] {"current", "minutely", "hourly", "daily", "alerts"}) {
          response.Property (key).Remove ();
         }
        return response.ToString();
        }
    </set-body>
  </when>
</choose>

Upvotes: 0

K.J.M.O.
K.J.M.O.

Reputation: 227

If you know the name of the header(s) you want to mask or remove, e.g. your subscription key, you can easily do it like this in the APIM policy:

<set-header name="Ocp-Apim-Subscription-Key" exists-action="delete" />

Upvotes: 0

nunohpinheiro
nunohpinheiro

Reputation: 2269

Generically, the Azure APIM allows flexibility on the handling of requests and responses, mainly with the concept of policies. In short, these are operations that may be defined in the incoming, outgoing or during the execution of requests.

This allows the changing of the requests/responses (for example, adding or removing headers), which may be what you want. Some typical examples/snippets of policies are depicted here in Azure's own GitHub, as well as in APIM itself, as shown here.

These two walkthroughs may also be helpful: Setting Policies and Transforming APIs.

Upvotes: 2

Related Questions