Hey everyone! I'm looking for some guidance on securing my backend API. Here's my setup: I have a web app running in Azure that uses Microsoft Entra ID for user authentication. Currently, my backend API is open to anyone who has the URL and can access it via Postman. I want to make sure that only requests coming from my web app are allowed to hit the API. What's the recommended approach to do this in Azure?
5 Answers
There are several effective strategies you can implement. First, activate network restrictions on your API to only allow requests from your front-end app, which will address the Postman access problem. Additionally, think about using managed identities for authentication between the web app and the API. These steps are fairly straightforward and won't cost anything.
You absolutely need to secure your API with some type of authentication method. If you're using Azure App Services, implementing OAuth2 with Entra can provide this. On top of that, ensure you have network isolation; use private endpoints and set up VNet integration for your front-end. You can limit traffic specifically from your web app's VNet to your API. If you might need public exposure but still want security, look into using a Web Application Firewall (WAF) with protections like DDoS prevention and rate limiting.
It's quite common to face this issue. The standard approach in Azure is to secure your API with Azure AD authentication, requiring your front-end to provide an access token. So, after the user signs in on your web app, it gets a token that your API will validate before processing any requests. You can enhance security further by combining this with CORS and specific service roles.
To secure your API the Azure way, treat it as a protected resource. You need to lock it down using Entra ID, which means your front-end should call the API using an access token. This way, if someone tries to hit the API URL directly, they’ll still need a valid token that grants them access. Additionally, consider adding network controls like private endpoints or API Management to further tighten security. Make authorization your first line of defense, followed by network restrictions.
Security practices in Azure are always evolving. A good starting point is to look up resources on authentication and authorization specifically for ASP.NET web APIs. Check out Microsoft's documentation for comprehensive insights and best practices.
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically