Azure API管理 – 动态删除所有响应头部

huangapple go评论72阅读模式
英文:

Azure API Management - Dynamic Delete All Response Headers

问题

在Azure API Management策略中,我想清理由后端系统发送的响应头(以防止数据泄露)。我不想硬编码每个当前由后端系统发送的头名称,因为这样做无法考虑到软件新版本可能添加的新头,并且我们还必须为所有操作执行此操作,测试每个操作,捕获头,然后更新策略。

理想情况下,我想设置一个允许的头列表(每个API操作),并删除其余的头。

我尝试了一些方法,但是set-header策略不允许传递多个名称(我曾经以为它可以接受逗号分隔的列表),并且似乎没有像for-each那样的循环策略可以多次运行set-header。

我是否遗漏了某些东西,可以让我做到这一点?是否可以通过策略表达式等方式实现?

谢谢,
Jason

英文:

In Azure API Managment Policy I want to clean the Response Headers being sent by a backend system (to prevent data leakage). I don't want to hard-code each current header name that is being sent by the backend system as this won't account for new headers potentially added in future by new versions of the software and we'd also have to do this for all operations, testing each operation, capturing the headers then updating the policy.

Ideally I'd like to set a list of allowed headers (per API Operation) and delete the rest.

I've tried a number of approaches, but the set-header policy doesn't allow multiple names to be passed (I thought at one point it might take a comma separated list) and there doesn't seem to be a looping policy like for-each to enable running the set-header multiple times.

Is there something I'm missing to enable me to do this? Can this be done somehow through policy expressions etc?

Thanks,
Jason

答案1

得分: 0

目前没有好的方法来实现这一点,但有一个技巧:

<retry condition="@(context.Response.Headers.Keys.Any(k => !(new[] {"allowed-header-1", "allowed-header-2"}.Contains(k, StringComparer.InvariantCultureIgnoreCase))))" count="50" interval="0">
    <set-variable name="headerName" value="@(context.Response.Headers.Keys.First(k => !(new[] {"allow-header-1", "allow-header-2"}.Contains(k, StringComparer.InvariantCultureIgnoreCase))))" />
    <set-header name="@((string)context.Variables["headerName"])" exists-action="delete" />
</retry>

简而言之,重试策略会在存在非允许的标头时不断重试。在其中,您将第一个不允许的标头存储到一个变量中,并通过设置标头策略将其删除。

英文:

There is no good way to achieve that at the moment, but there is a hack:

&lt;retry condition=&quot;@(context.Response.Headers.Keys.Any(k =&gt; !(new[] {&quot;allowed-header-1&quot;, &quot;allowed-header-2&quot;}.Contains(k, StringComparer.InvariantCultureIgnoreCase))))&quot; count=&quot;50&quot; interval=&quot;0&quot;&gt;
    &lt;set-variable name=&quot;headerName&quot; value=&quot;@(context.Response.Headers.Keys.First(k =&gt; !(new[] {&quot;allow-header-1&quot;, &quot;allow-header-2&quot;}.Contains(k, StringComparer.InvariantCultureIgnoreCase))))&quot; /&gt;
    &lt;set-header name=&quot;@((string)context.Variables[&quot;headerName&quot;])&quot; exists-action=&quot;delete&quot; /&gt;
&lt;/retry&gt;

In short, retry policy will keep retrying as long as there is a non allowed header. And inside it you're getting first not allowed header into a variable and remove it via set-header policy.

huangapple
  • 本文由 发表于 2023年7月27日 15:11:36
  • 转载请务必保留本文链接:https://go.coder-hub.com/76777275.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定