Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,239 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 4%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello J, Munna Lal,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
While understanding your issues, I will explain why requests might still be accessible from disallowed domains despite the CORS policy, and the need to test the CORS behavior with actual cross-origin requests, as direct requests (e.g., using Postman) will not trigger CORS checks. Also, the possibility of bypassing CORS restrictions using tools that do not enforce the browser's CORS policy.
Because the issue arises because API Management's CORS policies are only enforced for browser-originated requests. Non-browser clients can bypass these policies unless additional validation is implemented in the backend.
1.Ensure the CORS policy is applied with the following attributes:
-
terminate-unmatched-request="true": Blocks requests from origins not explicitly listed inallowed-origins. -
allow-credentials="false": Only allow requests without credentials unless specifically needed.
- Azure Functions have their own CORS settings in the Azure Portal (
Platform features > CORS). Ensure these settings are not too permissive (e.g., avoid*as an allowed origin). - CORS is enforced by browsers, not by the API Management service or the Function App. Use a browser or tools like
curlwith theOriginheader to test behavior. For example:
curl -H "Origin: https://disallowed-origin.com" -X GET https://api-management-endpoint
Also, check the Access-Control-Allow-Origin response header. It should be absent or match only allowed origins.
- API Management's CORS policy only controls browser-based requests. To restrict all access to specific origins, implement a validation mechanism in the backend service (e.g., the Azure Function app) to check the
Originheader and reject unauthorized domains explicitly. In Azure Functions, this is an example:
public static async Task<IActionResult> Run(HttpRequest req, ILogger log)
{
string origin = req.Headers["Origin"];
var allowedOrigins = new List<string> { "https://example1.com", "https://example2.com" };
if (!allowedOrigins.Contains(origin))
{
return new UnauthorizedResult();
}
// Proceed with normal processing
}
- Check other possible causes such as Overly Permissive Policies and Proxy or CDN Configurations.
You can esure no wildcard (*) is used in allowed-origins or allowed-headers and If a CDN or reverse proxy (e.g., Azure Front Door) is in use, check if it overrides or conflicts with the API Management settings respectively.
I hope this is helpful! Do not hesitate to let me know if you have any other questions.
Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 22%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESE%3C/text%3E%3C/svg%3E)