BenchMark Quizzes by MDFT Pro

Hide Backend Information in API Responses

You work as an API Security Engineer for MDFT Pro, a well-known training agency that delivers certification courses to students worldwide. Mark, the API Strategy Director, is managing several Azure API Management (APIM) hosted APIs including the Course Catalog API, Student Enrollment API, and Certification Tracking API. These APIs expose training services to partners and students while connecting to various backend services including ASP.NET Core web apps, Node.js microservices, and Python data processing services. Security reviews have identified that API responses expose sensitive backend information such as server technology headers (X-Powered-By: ASP.NET, Server: Kestrel), error stack traces revealing framework versions, and other implementation details that could help attackers identify vulnerabilities. You need to transform all API responses to hide private backend information and obscure the technology stack details before responses reach external clients.

What should you configure to protect all APIs from exposing backend implementation details?

Choose the correct answer from the options below.

Explanations for each answer:

Configure and apply a new backend policy scoped to global is incorrect. Backend policies control how requests are forwarded to backend services (using policies like set-backend-service or forward-request) but don't modify response headers or content sent to clients. To hide backend information like server headers or technology stack details in responses, you need outbound policies that transform the response before it reaches the client, not backend policies.
Configure and apply a new outbound policy scoped to the operation is incorrect. While outbound policies can hide backend information by removing or modifying response headers, scoping to the operation level would require applying the policy to every single operation across all APIs. This creates maintenance overhead and risks inconsistent protection if new operations are added. For protecting all APIs uniformly, global scope is more appropriate and efficient.
Configure and apply a new inbound policy scoped to a product is incorrect. Inbound policies process requests before they reach the backend service, allowing you to validate, transform, or authenticate incoming requests. However, hiding backend information requires modifying responses after the backend processes them. You need outbound policies that execute after the backend returns data, not inbound policies that run before the request is forwarded.
Configure and apply a new outbound policy scoped to global is correct. Outbound policies execute after the backend processes requests and before responses are sent to clients, making them ideal for hiding backend information. Scoping to global ensures the policy applies to all APIs and operations automatically, providing consistent protection. You can use policies like set-header to remove server headers (X-Powered-By, Server) or set-body to transform responses, obscuring the technology stack used by backend services.

Learn more about API Management Policies:

API Management Policy Configuration

Practice Exam

Hide Backend Information in API Responses

Discuss this question on social media: