I underestand that when a request includes Ocp-Apim-Trace: true
like below:
GET /api/v1/BotConfig HTTP/1.1
Host: xyz.azure-api.net
Cache-Control: no-cache
Ocp-Apim-Trace: true
Ocp-Apim-Subscription-Key: ••••••••••••••••••••••••••••••••
The API Management adds ocp-apim-trace-location header:
ocp-apim-trace-location: https://womewhere.blob.core.windows.net/apiinspectorcontainer/Hin6_SGFT-some-parameters
This is obviously a security probelm and I am sure I am missing a point.
What is the mechanism to enable ocp-apim-trace-location
for API Management developers, but make sure it is disabled for public service consumers?
Trace location (ocp-apim-trace-location in response header) is available only for admin accounts. For non-admin accounts or when there is no subscription key the traces aren't collected.