Merge pull request #306642 from dlepow/patch-130888

prmerger-automator[bot] · web-flow · commit d2f4e615aad6 · 2025-10-08T23:44:00.000Z
[APIM] Enhance OWASP security guidance - path traversal
diff --git a/articles/api-management/mitigate-owasp-api-threats.md b/articles/api-management/mitigate-owasp-api-threats.md
@@ -193,6 +193,7 @@ More information about this threat: [API8:2023 Security misconfiguration](https
 - Use Key Vault integration to manage all certificates. This centralizes certificate management and can help to ease operations management tasks such as certificate renewal or revocation. Use managed identity to authenticate to key vaults.
 - When using the [self-hosted-gateway](/azure/api-management/self-hosted-gateway-overview), ensure that there's a process in place to update the image to the latest version periodically.
 - Represent backend services as [backend entities](/azure/api-management/backends). Configure authorization credentials, certificate chain validation, and certificate name validation where applicable.
+- Ensure your backends are protected against path traversal (directory traversal) attacks. API Management may forward requests containing `..%2f` in the URL path to a backend. If the backend decodes it to `../`, it could be susceptible to a path traversal attack. You can also apply a policy in API Management to detect and block requests such as those containing `..%2f` in the path. 
 - Where possible, use credential manager or managed identity to authenticate against backend services.
 - When using the [developer portal](/azure/api-management/api-management-howto-developer-portal):
     - If you choose to [self-host](/azure/api-management/developer-portal-self-host) the developer portal, ensure there's a process in place to periodically update the self-hosted portal to the latest version. Updates for the default managed version are automatic.
