Every bug report should have precise description and reproduction steps; console traces or source code references are appreciated.
For assistance requests, contact Azure support or submit a post on Stack Overflow. We don't provide support through GitHub Issues. Feature requests can be raised on the Azure Feedback Forum.
Bug description
An observation regarding the Developer Portal (in Azure API Management). The API Management in our case is configured in “internal mode” to be protected from access from internet, since it is to be used for internal APIs only.
The pictures used in the portal is stored in a Storage Account that is accessible by anyone.
We don’t want the pictures or the content for our “internal” Developer Portal to be accessed by anyone from internet, since this might be an information security issue especially if the content of pages (text) is also accessible in a similar way.
Is your portal managed or self-hosted?
Release tag or commit SHA (if using self-hosted version)
Every bug report should have precise description and reproduction steps; console traces or source code references are appreciated.
For assistance requests, contact Azure support or submit a post on Stack Overflow. We don't provide support through GitHub Issues. Feature requests can be raised on the Azure Feedback Forum.
Bug description
An observation regarding the Developer Portal (in Azure API Management). The API Management in our case is configured in “internal mode” to be protected from access from internet, since it is to be used for internal APIs only. The pictures used in the portal is stored in a Storage Account that is accessible by anyone.
When logged in as an “admin” in the portal we notice that the URLs for the pictures looks like this: https://apimstfmv1ihtcjg0pkh1rxp.blob.core.windows.net/content/fb9cfb3f-7eef-9990-1f7c-84b5e4fa4125?sv=2022-11-02&st=2023-10-25T13%3A29%3A37Z&se=2023-10-26T13%3A34%3A37Z&sr=c&sp=rwdl&sig=px6WBZOx3fGXyjmTfKTB%2F2zdQcO%2BdkvbVY0gagCdQOc%3D
But the images can still be retrieved with this link (without any parameters) from internet. https://apimstfmv1ihtcjg0pkh1rxp.blob.core.windows.net/content/fb9cfb3f-7eef-9990-1f7c-84b5e4fa4125
Is this a bug?
Expected behavior
We don’t want the pictures or the content for our “internal” Developer Portal to be accessed by anyone from internet, since this might be an information security issue especially if the content of pages (text) is also accessible in a similar way.
Is your portal managed or self-hosted?
Release tag or commit SHA (if using self-hosted version)
API Management service name
Environment
Additional context