[APIM Enhance security guidance for API Management

dlepow · web-flow · commit 043b60818780 · 2025-10-07T22:25:37.000-07:00
Added guidance on protecting backends against path traversal attacks and suggested applying a policy in API Management to block such requests.
diff --git a/articles/api-management/mitigate-owasp-api-threats.md b/articles/api-management/mitigate-owasp-api-threats.md
@@ -193,6 +193,7 @@ More information about this threat: [API8:2023 Security misconfiguration](https
 - Use Key Vault integration to manage all certificates. This centralizes certificate management and can help to ease operations management tasks such as certificate renewal or revocation. Use managed identity to authenticate to key vaults.
 - When using the [self-hosted-gateway](/azure/api-management/self-hosted-gateway-overview), ensure that there's a process in place to update the image to the latest version periodically.
 - Represent backend services as [backend entities](/azure/api-management/backends). Configure authorization credentials, certificate chain validation, and certificate name validation where applicable.
+- Ensure your backends are protected against path traversal (directory traversal) attacks. API Management may forward requests containing `..%2f` in the URL path to a backend. If the backend decodes it to `../`, it could be susceptible to a path traversal attack. You can also apply a policy in API Management to detect and block requests such as those containing `..%2f` in the path. 
 - Where possible, use credential manager or managed identity to authenticate against backend services.
 - When using the [developer portal](/azure/api-management/api-management-howto-developer-portal):
     - If you choose to [self-host](/azure/api-management/developer-portal-self-host) the developer portal, ensure there's a process in place to periodically update the self-hosted portal to the latest version. Updates for the default managed version are automatic.
