Exam AZ-204 topic 5 question 40 discussion

https://learn.microsoft.com/en-us/azure/azure-web-pubsub/howto-develop-eventhandler#upstream-and-validation

Most likely, it's A, since they ask about "Unauthorized protection" instead of "Abuse Protection", which are both supported by underlying "CloudEvents HTTP protocols" (web-hooks). https://github.com/cloudevents/spec/blob/v1.0/http-webhook.md#4-abuse-protection So, if we read attentively about Abuse Protection / webhook-request-origin, we can find this excerpt: "It is important to understand is that the handshake does not aim to establish an authentication or authorization context. It only serves to protect the sender from being told to a push to a destination that is not expecting the traffic. While this specification mandates use of an authorization model, this mandate is not sufficient to protect any arbitrary website from unwanted traffic if that website doesn't implement access control and therefore ignores the Authorization header." And this is Authorization header description in this protocol: https://github.com/cloudevents/spec/blob/v1.0/http-webhook.md#3-authorization

The answer is D: WebHook-Request-Origin Authorization: Generic auth header, not specific to WebPubSub validation WebHook-Request-Callback: Not used for origin validation Resource: Not relevant for webhook validation WebHook-Request-Origin: Used by WebPubSub to identify itself

Authorization

A should be correct

WebHook-Request-Origin cannot protect from unauthorized invocations as it contains just DNS name https://github.com/cloudevents/spec/blob/main/cloudevents/http-webhook.md#412-webhook-request-origin

The Authorization header is used to authenticate a user agent with a server. In the context of Azure Functions, this header is used to pass the function or system keys when making HTTP requests to the function. By allowing this header, you can ensure that only authorized requests can invoke the function.

Guys. Webhook-Request-Origin does nothing to protect against *unauthorized* requests. The Authorization header must be allowed by the CDN.

The original question could indeed be clearer. The focus should be on ensuring that the CDN allows for the protection of the data being transmitted to the phone, rather than the Azure Function itself.

Copilot: A. Authorization - Correct The Authorization header is used to authenticate the client/user in the application by including authorization credentials. It’s crucial for protecting the Azure function against misconfigured invocations. B. WebHook-Request-Callback - Incorrect The WebHook-Request-Callback is not a standard HTTP header and it’s not typically used for authorization or protection against misconfigured invocations. C. Resource - Incorrect The Resource is not a standard HTTP header and it’s not typically used for authorization or protection against misconfigured invocations. D. WebHook-Request-Origin - Incorrect The WebHook-Request-Origin is not a standard HTTP header and it’s not typically used for authorization or protection against misconfigured invocations.

On exam 3-Nov-2023. Went with most-voted answer - 932/1000.

The Authorization header (Option A) is widely used for authentication in HTTP requests. It is a standard header for including credentials, tokens, or other authentication information. By allowing the Authorization header on the CDN, you can ensure that only requests with valid authorization tokens or credentials can invoke your Azure function, providing a secure method of protection against unauthorized invocations.

Why not A? To ensure that the Azure Function is protected against misconfigured or unauthorized invocations when using a CDN, you should allow the "Authorization" HTTP header.

This cannot possibly be a real question the way it is written.

B. Enable Application Insights site extensions. E. Enable the Always On setting for the app service. D. Enable Profiler. chat gpt

D is correct