How to eliminate tracing (prevent Ocp-Apim-Trace) when the call includes a subscription key?

1
votes

This is a follow up to the following question: How to prevent Ocp-Apim-Trace: true and ocp-apim-trace-location in production?

My API consumers must have a subscription key to be able to use my API. However, I do not want them to see the detail traces provided in ocp-apim-trace-location. The detail trace provides them visibility to my internal service URLs and details that can be a potential security risk.

How to eliminate tracing (prevent Ocp-Apim-Trace) when the call includes a subscription key?

1
azure-api-management

1 Answers

3
votes

There is no way to disable tracing funtionality, not sending this header will disable tracing collection for one request only. But do know, that only admin users are capable of collecting traces, if this header is supplied along with subscription key that does not belong to admin account (or no subscription key at all) no traces will be collected. The idea here is that traces may expose information service owner may not be willing to share with developers.

Actually, you could design APIs belong to an open product to be callable anonymously.

Create a new product and uncheck Require subscription in its settings. Any API added to such product will be callable without a key anonymously.

So that you could let your consumer anoymously call your API without subscription key and then eliminate tracing.

For more details, you could refer to this article.