We would like to have OWASP security features as part of API Management rather than using API gateway/WAF.
We would like to have OWASP security features as part of API Management rather than using API gateway/WAF.

5 comments
-
Henriquez, Hernan commented
Any update on this, pretty basic expectation and long waiting?
-
Chad commented
More security rules? Country block - now in preview for app gateway: https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/geomatch-custom-rules
-
Henriquez, Hernan commented
Having threat protection out of the box policies is basic expectations of an API Management, solution is there any plan in azure APIM for this?
-
Chad commented
Consider adding built in policy definitions similar to apigee:
https://docs.apigee.com/api-platform/reference/policies/xml-threat-protection-policy
https://docs.apigee.com/api-platform/reference/policies/json-threat-protection-policy
https://docs.apigee.com/api-platform/reference/policies/regular-expression-protection -
Chad commented
This is especially critical for a native azure solution since you cannot put an App Gateway in front of APIM and still support Mutual Authentication with certificate checks.