Customers using Azure API Management need to protect against malicious file uploads to their APIs. Cloudmersive now offers a policy-based integration for scanning incoming requests for binary uploads and then performing Cloudmersive Advanced Virus Scan on these payloads.

To enable this, follow these steps:

1. Navigate to your API in Azure API Management and click on APIs and then select the API in question.
2. Under Inbound Processing click on the </> icon.
3. Paste in this policy configuration:

<policies>
    <inbound>
        <base />
        <send-request mode="copy" response-variable-name="scanResponse" timeout="30" ignore-error="true">
            <set-url>https://your-cloudmersive-reverse-proxy-server</set-url>
        </send-request>
        <!-- If scanner returns HTTP 403, return scanner's response body and Content-Type to the client -->
        <choose>
            <when condition="@(context.Variables.ContainsKey(&quot;scanResponse&quot;) &amp;&amp; context.Variables[&quot;scanResponse&quot;] != null &amp;&amp; ((IResponse)context.Variables[&quot;scanResponse&quot;]).StatusCode == 403)">
                <return-response>
                    <set-status code="403" reason="Forbidden" />
                    <set-header name="Content-Type" exists-action="override">
                        <value>@(((IResponse)context.Variables["scanResponse"]).Headers.GetValueOrDefault("Content-Type", "text/plain"))</value>
                    </set-header>
                    <set-body>@(((IResponse)context.Variables["scanResponse"]).Body.As<string>(preserveContent: true))</set-body>
                </return-response>
            </when>
        </choose>
        <!-- Anything other than scanner HTTP 403 continues to the real backend -->
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

4. Change the URL https://your-cloudmersive-reverse-proxy-server to be your Cloudmersive Reverse Proxy Server endpoint. This can be deployed on Cloudmersive infrastructure via Managed Instance, or on your own infrastructure via Cloudmersive Private Cloud - including in Azure App Service, Azure Kubernetes Service, or Azure Virtual Machines.
5. Click on Save.
6. In the Cloudmersive Management portal, navigate to Private Cloud and find the node corresponding to the above https://your-cloudmersive-reverse-proxy-server. Click on Sites, and configure a site with Security Policies such as Virus Scan File Upload Request (multipart/form-data) - Advanced Scan or Virus Scan JSON Binary Data Request (application/json) - Advanced Scan or Virus Scan POST Raw Binary Data Request (raw POST body) - Advanced Scan. Click on Push Configuration. In your Cloudmersive Private Cloud server click on Configure Node, Settings Variables, Add and set the type ReverseProxy_ResponseMode_NoOrigin to the value 1.

Every request sent into your Azure API Management will now be scanned for viruses automatically by Cloudmersive Reverse Proxy Server. The above policy sends the incoming requests to Cloudmersive Reverse Proxy Server which is running in a scanning only mode, so there is no upstream proxy - it is only enforcing policies on the incoming information. Unsafe requests will be blocked per the policies you configured, while other requests will be allowed through.