How can we improve Azure API Management?

← API Management

Return status code 405 instead of 404 when wrong method is used

Defining an API involves creating the resources and the allowed methods for each resource. When invoking the operation (accessing the resource) with a wrong HTTP method (for example, PUT instead of GET), the API Management service returns a 404 Resource Not Found instead of a 405 Method Not Allowed. Passing an OWASP test implies to return the correct code (https://www.owasp.org/index.php/RESTSecurityCheatSheet#HTTPReturn_Code).

Is it possible to return this code with API Management right now? Will it be included in future releases

40 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Carlos shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

3 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Stephen Gray commented  ·   ·  Flag as inappropriate

    I thought one option would be to check in the main “All operations” incoming policy for the http method (GET,POST,PUT etc..), check the request PATH and to return a 405 but unfortunately the policy won’t get hit due to APIM cutting off the request (and responding with a 404) in the middleware (I guess)

    One option, as a workaround, is to create a new operation to handle the invalid request method, in our case the GET. In APIM you need to create a duplicate operation (the only difference being the Method) and to then add a incoming simple policy to immediately return a HTTP 405 Response together with a slightly different message to distinguish that we tampered with response (but you don’t need to do this).

    <inbound>
    <base />
    <return-response>
    <set-status code="405" />
    <set-body>Method Not Allowed : Please check the API documentation.</set-body>
    </return-response>
    </inbound>

  • Anurag Maheshwari commented  ·   ·  Flag as inappropriate

    Is the above limitation still exists? I'm still getting 404 Resource Not Found instead of a 405 Method Not Allowed.

API Management: Policies

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice