Removing backend stack traces in Azure API Management: a caveat!

On my latest project, I developed a global policy to ensure that no stack traces get returned to the API consumer.  This is a good security measure, because stack traces reveal too much information about the underlying technology and setup.

Inside the All APIs policy, I updated the on-error policy section.

<on-error>
   <set-body template="none">Something went wrong.</set-body>
</on-error>

However, when the backend API returned an exception within the 5XX range, API Management did not remove it.  After some digging into the documentation, it became clear that this section is by default only triggered for exceptions that occur within the API Gateway itself.

Luckily, you can change this default behavior.  The forward-request policy, has an optional parameter ‘fail-on-error-status-code’.  When you set this parameter to true, all backend responses within the 400-599 range will trigger the on-error section.

<backend>
   <forward-request fail-on-error-status-code="true"/>
</backend>

Now, the stack traces get nicely removed 🙂

I hope this post can save you some time!
Toon

UPCOMING TRAININGS

CHECK OUT OUR TRAININGS

ABOUT

MEET THE YOUR AZURE COACH TEAM

Your Azure Coach is specialized in organizing Azure trainings that are infused with real-life experience. All our coaches are active consultants, who are very passionate and who love to share their Azure expertise with you.