Azure API Management – Enforcing HTTPS-only for Developer Portal custom domain

Hi @SakthivelKalpana-8415

Thank you for reaching out to Microsoft Q&A.

Based on the current Azure API Management (APIM) documentation and platform behavior, there is no supported, APIM‑native way to enforce HTTPS‑only access or to configure an HTTP → HTTPS redirect specifically for a Developer Portal custom domain.

When using a custom domain for the Developer Portal, Azure API Management does not expose any configuration or setting that allows you to:

• Disable HTTP access for the Developer Portal endpoint, or
• Configure an automatic HTTP - HTTPS redirection within APIM itself

The Azure API Management documentation and security baseline focus on general best practices (for example, recommending encrypted protocols such as HTTPS/WSS for APIs and data-in-transit protection). However, they do not document any feature, toggle, or policy that enforces HTTPS-only behavior on the Developer Portal custom domain endpoint or performs protocol-level redirection for it.

Key clarification for security / compliance documentation

APIM platform limitation:

As of now, this is a platform limitation of Azure API Management. There is no supported, built‑in capability within APIM to force HTTPS‑only access or redirect HTTP traffic to HTTPS for the Developer Portal custom domain. [learn.microsoft.com]

Scope of existing HTTPS enforcement:

APIM does support TLS/HTTPS for custom domains and requires valid certificates, but this only ensures HTTPS availability, not HTTP disablement or redirection behavior for the Developer Portal endpoint.

Common workaround (outside APIM)

While not part of APIM itself, many customers address this requirement by placing a service such as Azure Front Door or Azure Application Gateway in front of APIM, where:

HTTP can be disabled entirely, or

HTTP → HTTPS redirection can be enforced at the edge

This workaround is external to APIM and should be documented as such if adopted.

1. The available documentation for Azure API Management custom domains and the developer portal describes HTTPS behavior and security baselines only at a general level (for example, recommending that APIs be exposed only via encrypted protocols). It does not document any APIM-native setting or switch that:
   • Disables HTTP specifically for the Developer portal custom domain, or
   • Performs an automatic HTTP → HTTPS redirect for the Developer portal endpoint.
   The only explicit HTTPS-enforcement setting in the provided context is for Azure Spring Apps custom domains ("HTTPS Only"), which does not apply to API Management or its developer portal. Based on the available material, there is no documented, supported feature in API Management itself to enforce HTTPS-only access or HTTP→HTTPS redirection specifically for a Developer Portal custom domain.
2. The API Management documentation and security baseline emphasize:
   • Using encrypted protocols such as HTTPS/WSS for APIs and avoiding HTTP/WS.
   • Data-in-transit and data-at-rest protections.
   However, the documentation does not describe a configuration knob for the developer portal custom domain to disable HTTP or force redirection, nor does it list such a feature among the custom-domain endpoint options or considerations. Within the scope of the provided documentation, this absence can be treated as a platform limitation: API Management does not expose a documented, built-in mechanism to enforce HTTPS-only access for the Developer Portal custom domain. Any HTTPS-only enforcement or HTTP→HTTPS redirection for the developer portal would therefore need to be implemented outside APIM (for example, via a fronting component such as an application gateway, reverse proxy, or similar), as no native setting is described in the referenced API Management documentation.

References:

• Configure a custom domain name for your Azure API Management instance
• Azure security baseline for Azure API Management
• Secure access to the API Management developer portal