Removing backend stack traces in Azure API Management: a caveat!

On my latest project, I developed a global policy to ensure that no stack traces get returned to the API consumer.  This is a good security measure, because stack traces reveal too much information about the underlying technology and setup.

Inside the All APIs policy, I updated the on-error policy section.

   <set-body template="none">Something went wrong.</set-body>

However, when the backend API returned an exception within the 5XX range, API Management did not remove it.  After some digging into the documentation, it became clear that this section is by default only triggered for exceptions that occur within the API Gateway itself.

Luckily, you can change this default behavior.  The forward-request policy, has an optional parameter ‘fail-on-error-status-code’.  When you set this parameter to true, all backend responses within the 400-599 range will trigger the on-error section.

   <forward-request fail-on-error-status-code="true"/>

Now, the stack traces get nicely removed 🙂

I hope this post can save you some time!

About me

Hi! I’m Toon Vanhoutte, a hands-on Azure architect – based in Belgium – with a big passion for teaching and helping people out. I’m happy to assist you during your Azure journey with high-quality advisory and I would love to teach you Azure’s possibilities via my tailored training courses.

Subscribe to the blog