Share via

Review/Validate APIM Inbound Policy for User-Agent Filtering (iOS/Android Restriction)

Alhamzawi Hussein, Ali Mezher 0 Reputation points
2025-10-21T15:55:43.4433333+00:00

I need to ensure that my API endpoint is only accessible by my native mobile applications (iOS and Android) and block all other traffic, such as web browsers or scripting tools.

Is the below xml fine ?

<inbound>
    <base />
    <!-- Extract User-Agent -->
    <set-variable name="userAgent" value="@(context.Request.Headers.GetValueOrDefault("User-Agent",""))" />
    <!-- Allow only iOS or Android -->
    <choose>
        <when condition="@(context.Variables.GetValueOrDefault<string>("userAgent").Contains("iPhone") 
                        || context.Variables.GetValueOrDefault<string>("userAgent").Contains("iPad") 
                        || context.Variables.GetValueOrDefault<string>("userAgent").Contains("Android"))">
            <!-- Allow request -->
        </when>
        <otherwise>
            <!-- Reject everything else -->
            <return-response>
                <set-status code="403" reason="Forbidden" />
                <set-body>{"error": "Only iOS and Android devices are allowed"}</set-body>
                <set-header name="Content-Type" exists-action="override">
                    <value>application/json</value>
                </set-header>
            </return-response>
        </otherwise>
    </choose>
</inbound>
Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rupesh Asati 780 Reputation points Microsoft External Staff Moderator
    2025-10-21T16:44:20.56+00:00

    Hello Alhamzawi Hussein, Ali Mezher

    Thanks for reaching out on Microsoft Q&A and really appreciate your patience while we looked into this.

    Understand from description that you want to set up User-Agent filtering for your API endpoint to ensure it's only accessible from your iOS and Android applications.

    Steps:

    1. Extract and Normalize the User-Agent Header: Use the set-variable policy to extract the User-Agent header and convert it to lowercase for case-insensitive comparison. 
         <set-variable name="userAgent" value="@(context.Request.Headers.GetValueOrDefault("User-Agent", "").ToLowerInvariant())" />
      Set variable policy
    2. Conditionally Allow or Reject Requests: Implement the choose policy to check if the User-Agent contains substrings indicative of iOS or Android devices. 
         <choose>
   <when condition="@(context.Variables.GetValueOrDefault<string>("userAgent").Contains("iphone") 
                  || context.Variables.GetValueOrDefault<string>("userAgent").Contains("ipad") 
                  || context.Variables.GetValueOrDefault<string>("userAgent").Contains("android"))">
     <!-- Allow request -->
   </when>
   <otherwise>
     <return-response>
         <set-status code="403" reason="Forbidden" />
         <set-body>{"error": "Only iOS and Android devices are allowed"}</set-body>
         <set-header name="Content-Type" exists-action="override">
             <value>application/json</value>
         </set-header>
     </return-response>
   </otherwise>
      Choose policy.
    3. Return a Custom Response for Unauthorized Requests: If the User-Agent doesn't match the allowed devices, use the return-response policy to send a 403 Forbidden response.
      Return response policy

    https://free.blessedness.top/en-sg/azure/api-management/set-edit-policies?tabs=formHow to set or edit Azure API Management policies | Microsoft Learn

    I hope this helps in resolving the issue, do let me know if you have any further questions on this.

    Thanks

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.