SaltSecurity.IIS.AzureAppServiceCollector 1.0.1

Salt Security Azure App Service Collector

Automatic HTTP traffic collection middleware for Azure App Services - Zero code changes required for comprehensive API security monitoring.

Overview

Salt Security Azure App Service Collector is a site extension that automatically captures HTTP request/response traffic from your ASP.NET Core applications running on Azure App Services. It uses ASP.NET Core's IHostingStartup pattern to inject middleware without requiring any code modifications to your application.

Key Features

• Zero Code Changes - Automatically injects into ASP.NET Core applications via Hosting Startup
• Complete Traffic Capture - Records full HTTP requests and responses including:
  • Headers and query parameters
  • Request and response bodies
  • Status codes and timing information
  • Client IP addresses
• Multi-Framework Support - Compatible with .NET 6.0, 7.0, 8.0, 9.0, and 10.0
• Salt API Integration - Sends data in real-time to Salt Security API for comprehensive security analysis
• Non-Blocking Design - Fire-and-forget pattern ensures zero impact on application performance
• Fail-Safe Architecture - Critical exception handling prevents middleware failures from affecting your application
• Coexistence Ready - Works alongside APM tools like Datadog, New Relic, and Application Insights

Installation

Option 1: Azure Portal (Site Extensions)

1. Navigate to your App Service in Azure Portal
2. Go to Development Tools → Extensions
3. Click + Add
4. Search for "Salt Security" and install the extension
5. Restart your App Service

Option 2: Manual Deployment via Kudu

1. Download the NuGet package
2. Extract the package contents
3. Upload to Kudu Console at: C:\home\SiteExtensions\SaltSecurity.IISAzureAppServiceCollector\{version}\
4. Restart your App Service

Option 3: Direct Package Reference (Advanced)

For local development or custom deployment scenarios:

dotnet add package SaltSecurity.IISAzureAppServiceCollector

Configuration

Required Environment Variables

The extension is activated by Azure App Service automatically when installed as a site extension. For manual configuration:

ASPNETCORE_HOSTINGSTARTUPASSEMBLIES=SaltSecurityCollectorExtension
DOTNET_ADDITIONAL_DEPS=C:\home\SiteExtensions\SaltSecurity.IISAzureAppServiceCollector\{version}\additionalDeps
DOTNET_SHARED_STORE=C:\home\SiteExtensions\SaltSecurity.IISAzureAppServiceCollector\{version}\store

Salt API Integration Configuration

To send traffic data to Salt Security API for real-time security analysis:

SALT_API_ENDPOINT=https://hybrid-us.salttesting.click/api/v1/http/exchange
SALT_AUTH_TOKEN=your-authentication-token
SALT_UUID=your-unique-identifier

Add these in Azure Portal:

1. App Service → Configuration → Application Settings
2. Click + New application setting
3. Add each variable and click Save
4. Restart your App Service

How It Works

Architecture

Azure App Service Start
        ↓
ASP.NET Core Runtime loads IHostingStartup
        ↓
SaltSecurityCollectorExtension auto-injects
        ↓
Middleware captures HTTP traffic (non-blocking)
        ↓
Salt API Integration
(Real-time Analysis)

What Gets Captured

Request Data:

• HTTP method (GET, POST, PUT, DELETE, etc.)
• Full URI including query parameters
• All headers (with sensitive data redaction)
• Request body content
• Client IP address
• Timestamp with millisecond precision

Response Data:

• Status code (200, 404, 500, etc.)
• All response headers
• Response body content
• Processing duration

Special Handling for Different Connection Types:

• Standard HTTP Requests: Full headers and body captured
• Streaming/SSE (Server-Sent Events): Headers only, body excluded to avoid memory issues
• WebSocket Connections: Completely skipped - no headers or body captured (WebSocket upgrade requests are not processed)

What is NOT Captured:

• WebSocket frame data and messages
• Streaming response bodies (SSE, chunked transfer encoding)
• Static file responses may be handled differently based on configuration
• Health check endpoints can be filtered (if configured)

Security Features

• Sensitive Data Redaction - Authorization headers and tokens are automatically masked
• Fail-Safe Design - Middleware exceptions never impact your application
• Async Processing - Traffic data transmission happens in background threads
• Configurable Disable - Can be turned off instantly via environment variable

Compatibility

Supported Frameworks

• .NET 6.0 (LTS - End of support: November 2024)
• .NET 7.0 (STS - End of support: May 2024)
• .NET 8.0 (LTS - Active)
• .NET 9.0 (STS - Active)
• .NET 10.0 (Latest)

Platform Support

• Azure App Services (Windows)
• Azure App Services (Linux) - Experimental
• Local development environments

Compatible with APM Tools

• Datadog APM
• New Relic
• Application Insights
• Any middleware-based monitoring tools

Troubleshooting

Extension Not Activating

1. Check environment variables:

# In Kudu Console (https://yourapp.scm.azurewebsites.net)
echo %ASPNETCORE_HOSTINGSTARTUPASSEMBLIES%

2. Verify installation path:

dir C:\home\SiteExtensions\SaltSecurity.IISAzureAppServiceCollector

3. Check application logs:

type C:\home\LogFiles\Application\*.txt | findstr "SaltSecurity"

No Data Being Sent to Salt API

1. Verify Salt API configuration:

echo %SALT_API_ENDPOINT%
echo %SALT_AUTH_TOKEN%
echo %SALT_UUID%

2. Verify extension is enabled:

echo %SALTSECURITY_ENABLED%
# Should return "true" or nothing (defaults to true)

3. Review application logs for middleware initialization and API connection messages

Performance Impact

The extension is designed for zero blocking impact:

• All traffic data transmission is async (fire-and-forget)
• Exceptions are caught and never propagate
• HTTP API calls use background tasks with timeouts
• No synchronous I/O blocking

If you experience issues, temporarily disable:

SALTSECURITY_ENABLED=false

Development

Building from Source

# Clone the repository
git clone https://github.com/saltsecurity/azure-app-service-collector.git
cd azure-app-service-collector/SaltSecurityCollectorExtension

# Build for all target frameworks
dotnet build --configuration Release

# Create NuGet package
powershell -ExecutionPolicy Bypass -File build-nuget.ps1

Local Testing

# Set environment variables
$env:ASPNETCORE_HOSTINGSTARTUPASSEMBLIES = "SaltSecurityCollectorExtension"
$env:DOTNET_ADDITIONAL_DEPS = "path\to\additionalDeps"
$env:DOTNET_SHARED_STORE = "path\to\store"

# Run your ASP.NET Core app
dotnet run

Support

• Documentation: Salt Security Docs
• Issues: GitHub Issues
• Email: support@saltsecurity.com

License

This project is licensed under the MIT License - see the LICENSE file for details.

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

Changelog

See RELEASE_NOTES.md for version history and updates.

Made with ❤️ by Salt Security