Azure API Management – Transformation policies

Azure API Management allows you to host your APIs in a secure platform while keeping your backend services secured from the direct user's access. This hosting model would benefit your architecture to use many out of the box features/policies that API Management brings.

When you have a custom Web Service as the backend service for an API hosted in Azure API Management, by default, API Management won't hide the ASP.NET version and x-powered-by headers, as they will be included in every response to this API. Exposing the platform on which you're running your backend service and its version number can be a security risk vulnerable to attacks.

You can mitigate this security risk by using an API Management Policy to delete these specific headers from the HTTP response.

After applying this change, API Management would delete these two headers from the HTTP responses being sent back to the client. As you can see in the screenshot