add security message

Author: cephalin

articles/app-service/tutorial-ai-agent-web-app-semantic-kernel-foundry-dotnet.md

@@ -14,7 +14,7 @@ ms.collection: ce-skilling-ai-copilot
 
 # Tutorial: Build an agentic web app in Azure App Service with Microsoft Semantic Kernel or Azure AI Foundry Agent Service (.NET)
 
-This tutorial demonstrates how to add agentic capability to an existing data-driven CRUD application. It does this using two different approaches: Microsoft Semantic Kernel and Azure AI Foundry Agent Service.
+This tutorial demonstrates how to add agentic capability to an existing data-driven ASP.NET Core CRUD application. It does this using two different approaches: Microsoft Semantic Kernel and Azure AI Foundry Agent Service.
 
 If your web application already has useful features, like shopping, hotel booking, or data management, it's relatively straightforward to add agent functionality to your web application by wrapping those functionalities in a plugin (for Semantic Kernel) or as an OpenAPI endpoint (for AI Foundry Agent Service). In this tutorial, you start with a simple to-do list app. By the end, you'll be able to create, update, and manage tasks with an agent in an App Service app.
 

articles/app-service/tutorial-ai-agent-web-app-semantic-kernel-java.md

@@ -12,9 +12,9 @@ ms.custom:
 ms.collection: ce-skilling-ai-copilot
 ---
 
-# Tutorial: Build an agentic web app in Azure App Service with Microsoft Semantic Kernel (Java)
+# Tutorial: Build an agentic web app in Azure App Service with Microsoft Semantic Kernel (Spring Boot)
 
-This tutorial demonstrates how to add agentic capability to an existing data-driven CRUD application. It does this using Microsoft Semantic Kernel.
+This tutorial demonstrates how to add agentic capability to an existing data-driven Spring Boot WebFlux CRUD application. It does this using Microsoft Semantic Kernel.
 
 If your web application already has useful features, like shopping, hotel booking, or data management, it's relatively straightforward to add agent functionality to your web application by wrapping those functionalities in a plugin (for Semantic Kernel). In this tutorial, you start with a simple to-do list app. By the end, you'll be able to create, update, and manage tasks with an agent in an App Service app.
 
@@ -28,7 +28,7 @@ In this tutorial, you learn how to:
 > [!div class="checklist"]
 > * Convert existing app functionality into a plugin for Semantic Kernel.
 > * Add the plugin to a Semantic Kernel agent and use it in a web app.
-- Assign the required permissions for managed identity connectivity.
+> * Assign the required permissions for managed identity connectivity.
 
 ## Prerequisites
 
@@ -39,6 +39,8 @@ In this tutorial, you learn how to:
 
 The easiest way to get started is by using GitHub Codespaces, which provides a complete development environment with all required tools preinstalled.
 
+[![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/Azure-Samples/app-service-agentic-semantic-kernel-java)
+
 1. Navigate to the GitHub repository at [https://github.com/Azure-Samples/app-service-agentic-semantic-kernel-java](https://github.com/Azure-Samples/app-service-agentic-semantic-kernel-java).
 
 2. Select the **Code** button, select the **Codespaces** tab, and click **Create codespace on main**.
@@ -55,9 +57,9 @@ The easiest way to get started is by using GitHub Codespaces, which provides a c
 
 ## Review the agent code
 
-The Semantic Kernel agent is initialized in [src/main/java/com/example/crudtaskswithagent/controller/AgentController.java](), when the user enters the first prompt in a new browser session. 
+The Semantic Kernel agent is initialized in [src/main/java/com/example/crudtaskswithagent/controller/AgentController.java](https://github.com/Azure-Samples/app-service-agentic-semantic-kernel-java/blob/main/src/main/java/com/example/crudtaskswithagent/controller/AgentController.java), when the user enters the first prompt in a new browser session. 
 
-You can find the initialization code in the `SemanticKernelAgentService` contructor (in [src/main/java/com/example/crudtaskswithagent/service/SemanticKernelAgentService.java]()). The initialization code does the following: 
+You can find the initialization code in the `SemanticKernelAgentService` contructor (in [src/main/java/com/example/crudtaskswithagent/service/SemanticKernelAgentService.java](https://github.com/Azure-Samples/app-service-agentic-semantic-kernel-java/blob/main/src/main/java/com/example/crudtaskswithagent/service/SemanticKernelAgentService.java)). The initialization code does the following: 
 
 - Creates a kernel with chat completion.
 - Adds a kernel plugin that encapsulates the functionality of the CRUD application (in *src/main/java/com/example/crudtaskswithagent/plugin/TaskCrudPlugin.java*). The interesting parts of the plugin are the `DefineKernelFunction` annotations on the method declarations and the `description` and `returnType` parameters that help the kernel call the plugin intelligently.
@@ -66,7 +68,7 @@ You can find the initialization code in the `SemanticKernelAgentService` contruc
 
 :::code language="csharp" source="~/app-service-agentic-semantic-kernel-java/src/main/java/com/example/crudtaskswithagent/service/SemanticKernelAgentService.java" range="38-90" highlight="11-48,58" :::
 
-Each time the prompt is received, the server code uses ChatCompletionAgent.invokeAsync() invoke the agent with the user prompt.
+Each time the prompt is received, the server code uses `ChatCompletionAgent.invokeAsync()` to invoke the agent with the user prompt and the agent thread. the agent thread keeps track of the chat history.
 
 :::code language="csharp" source="~/app-service-agentic-semantic-kernel-java/src/main/java/com/example/crudtaskswithagent/service/SemanticKernelAgentService.java" range="109-158" highlight="8" :::
 

articles/app-service/tutorial-ai-integrate-azure-ai-agent-dotnet.md

@@ -12,7 +12,7 @@ ms.collection: ce-skilling-ai-copilot
 
 # Add an App Service app as a tool in Azure AI Foundry Agent Service (.NET)
 
-In this tutorial, you'll learn how to expose your app's functionality through OpenAPI, add it as a tool to Azure AI Foundry Agent Service, and interact with your app using natural language in the agents playground. 
+In this tutorial, you'll learn how to expose an ASP.NET Core app's functionality through OpenAPI, add it as a tool to Azure AI Foundry Agent Service, and interact with your app using natural language in the agents playground. 
 
 If your web application already has useful features, like shopping, hotel booking, or data management, it's easy to make those capabilities available to an AI agent in Azure AI Foundry Agent Service. By simply adding an OpenAPI schema to your app, you enable the agent to understand and use your app's capabilities when it responds to users' prompts. This means anything your app can do, your AI agent can do too, with minimal effort beyond creating an OpenAPI endpoint for your app. In this tutorial, you start with a simple to-do list app. By the end, you'll be able to create, update, and manage tasks with an agent through conversational AI.
 
@@ -163,15 +163,15 @@ At a minimum, open the [sample application](https://github.com/Azure-Samples/msd
 
 1. Navigate to the Swagger UI by adding `/swagger/index.html` to the URL.
 
-1. Confirm that the API operations work by trying them out. in the Swagger UI.
+1. Confirm that the API operations work by trying them out in the Swagger UI.
 
 1. Back in the codespace terminal, deploy your changes by committing your changes (GitHub Actions method) or run `azd up` (Azure Developer CLI method).
 
 1. Once your changes are deployed, navigate to `https://<your-app's-url>/swagger/v1/swagger.json` and copy the schema for later.
 
 ## Create an agent in Azure AI Foundry
 
-1. Create an agent in the Azure AI Foundry portal by following the steps at:[Quickstart: Create a new agent](/azure/ai-services/agents/quickstart?pivots=ai-foundry-portal).
+1. Create an agent in the Azure AI Foundry portal by following the steps at: [Quickstart: Create a new agent](/azure/ai-services/agents/quickstart?pivots=ai-foundry-portal).
 
     Note the [models you can use and the available regions](/azure/ai-services/agents/concepts/model-region-support#azure-openai-models). 
 
@@ -193,6 +193,23 @@ At a minimum, open the [sample application](https://github.com/Azure-Samples/msd
     
     :::image type="content" source="media/tutorial-ai-integrate-azure-ai-agent-dotnet/agents-playground.png" alt-text="Screenshot showing the agents playground in the middle of a conversation that takes actions by using the OpenAPI tool.":::
 
+## Security best practices
+
+When exposing APIs via OpenAPI in Azure App Service, follow these security best practices:
+
+- **Authentication and Authorization**: Protect your OpenAPI endpoints in App Service behind [Azure API Management with Microsoft Entra ID](/azure/api-management/api-management-howto-protect-backend-with-aad) and ensure only authorized users or agents can access the tools.
+- **Validate input data:** The sample code checks `ModelState.IsValid` in the `CreateTodo` method, which ensures that the incoming data matches the model's validation attributes. For more information, see [Model validation in ASP.NET Core](https://learn.microsoft.com/aspnet/core/mvc/models/validation).
+- **Use HTTPS:** The sample relies on Azure App Service, which enforces HTTPS by default and provides free TLS/SSL certificates to encrypt data in transit.
+- **Limit CORS:** Restrict Cross-Origin Resource Sharing (CORS) to trusted domains only. For more information, see [Enable CORS](app-service-web-tutorial-rest-api.md#enable-cors).
+- **Apply rate limiting:** Use [API Management](/azure/api-management/api-management-sample-flexible-throttling) or custom middleware to prevent abuse and denial-of-service attacks.
+- **Hide sensitive endpoints:** Avoid exposing internal or admin APIs in your OpenAPI schema.
+- **Review OpenAPI schema:** Ensure your OpenAPI schema doesn't leak sensitive information (such as internal URLs, secrets, or implementation details).
+- **Keep dependencies updated:** Regularly update NuGet packages and monitor for security advisories.
+- **Monitor and log activity:** Enable logging and monitor access to detect suspicious activity.
+- **Use managed identities:** When calling other Azure services, use managed identities instead of hardcoded credentials.
+
+For more guidance, see [Secure your App Service app](https://learn.microsoft.com/azure/app-service/security-overview) and [Best practices for REST API security](https://learn.microsoft.com/azure/architecture/best-practices/api-design#security).
+
 ## Next step
 
 You've now enabled your App Service app to be used as a tool by Azure AI Foundry Agent Service and interact with your app's APIs through natural language in the agents playground. From here, you can continue add features to your agent in the Foundry portal, integrate it into your own applications using the Azure AI Foundry SDK or REST API, or deploy it as part of a larger solution. Agents created in Azure AI Foundry can be run in the cloud, integrated into chatbots, or embedded in web and mobile apps.

articles/app-service/tutorial-ai-integrate-azure-ai-agent-java.md

@@ -10,9 +10,9 @@ ms.custom:
 ms.collection: ce-skilling-ai-copilot
 ---
 
-# Add an App Service app as a tool in Azure AI Foundry Agent Service (Java)
+# Add an App Service app as a tool in Azure AI Foundry Agent Service (Spring Boot)
 
-In this tutorial, you'll learn how to expose your app's functionality through OpenAPI, add it as a tool to Azure AI Foundry Agent Service, and interact with your app using natural language in the agents playground. 
+In this tutorial, you'll learn how to expose a Spring Boot web app's functionality through OpenAPI, add it as a tool to Azure AI Foundry Agent Service, and interact with your app using natural language in the agents playground. 
 
 If your web application already has useful features, like shopping, hotel booking, or data management, it's easy to make those capabilities available to an AI agent in Azure AI Foundry Agent Service. By simply adding an OpenAPI schema to your app, you enable the agent to understand and use your app's capabilities when it responds to users' prompts. This means anything your app can do, your AI agent can do too, with minimal effort beyond creating an OpenAPI endpoint for your app. In this tutorial, you start with a simple to-do list app. By the end, you'll be able to create, update, and manage tasks with an agent through conversational AI.
 
@@ -26,7 +26,7 @@ If your web application already has useful features, like shopping, hotel bookin
 
 ## Prerequisites
 
-This tutorial assumes you're working with the sample used in[Tutorial: Build a Java Spring Boot web app with Azure App Service on Linux and Azure Cosmos DB](tutorial-java-spring-cosmosdb.md). 
+This tutorial assumes you're working with the sample used in [Tutorial: Build a Java Spring Boot web app with Azure App Service on Linux and Azure Cosmos DB](tutorial-java-spring-cosmosdb.md). 
 
 At a minimum, open the [sample application](https://github.com/Azure-Samples/msdocs-spring-boot-mongodb-sample-app) in GitHub Codespaces and deploy the app by running `azd up`.
 
@@ -35,7 +35,7 @@ At a minimum, open the [sample application](https://github.com/Azure-Samples/msd
 > [!TIP]
 > You can make all the following changes by telling GitHub Copilot in Agent mode:
 >
-> `I'd generate OpenAPI functionality using Spring Boot OpenAPI. Please also generate the server URL and operation ID in the schema.`
+> `I'd like to generate OpenAPI functionality using Spring Boot OpenAPI. Please also generate the server URL and operation ID in the schema.`
 
 1. In the codespace, open *pom.xml* and add the following dependency:
 
@@ -115,15 +115,15 @@ At a minimum, open the [sample application](https://github.com/Azure-Samples/msd
 
 1. Navigate to the Swagger UI by adding `/swagger-ui.html` to the URL.
 
-1. Confirm that the API operations work by trying them out. in the Swagger UI.
+1. Confirm that the API operations work by trying them out in the Swagger UI.
 
 1. Back in the codespace terminal, deploy your changes by committing your changes (GitHub Actions method) or run `azd up` (Azure Developer CLI method).
 
 1. Once your changes are deployed, navigate to `https://<your-app's-url>/v3/api-docs` and copy the schema for later.
 
 ## Create an agent in Azure AI Foundry
 
-1. Create an agent in the Azure AI Foundry portal by following the steps at:[Quickstart: Create a new agent](/azure/ai-services/agents/quickstart?pivots=ai-foundry-portal).
+1. Create an agent in the Azure AI Foundry portal by following the steps at: [Quickstart: Create a new agent](/azure/ai-services/agents/quickstart?pivots=ai-foundry-portal).
 
     Note the [models you can use and the available regions](/azure/ai-services/agents/concepts/model-region-support#azure-openai-models). 
 
@@ -145,6 +145,23 @@ At a minimum, open the [sample application](https://github.com/Azure-Samples/msd
 
     :::image type="content" source="media/tutorial-ai-integrate-azure-ai-agent-dotnet/agents-playground.png" alt-text="Screenshot showing the agents playground in the middle of a conversation that takes actions by using the OpenAPI tool.":::
 
+## Security best practices
+
+When exposing APIs via OpenAPI in Azure App Service, follow these security best practices:
+
+- **Authentication and Authorization**: Protect your OpenAPI endpoints in App Service behind [Azure API Management with Microsoft Entra ID](/azure/api-management/api-management-howto-protect-backend-with-aad) and ensure only authorized users or agents can access the tools.
+- **Validate and sanitize input data:** The example code in this tutorial omits input validation and sanitization for simplicity and clarity. In production scenarios, always implement proper validation and sanitization to protect your application. For Spring, see [Spring: Validating Form Input](https://spring.io/guides/gs/validating-form-input).
+- **Use HTTPS:** The sample relies on Azure App Service, which enforces HTTPS by default and provides free TLS/SSL certificates to encrypt data in transit.
+- **Limit CORS:** Restrict Cross-Origin Resource Sharing (CORS) to trusted domains only. For more information, see [Enable CORS](app-service-web-tutorial-rest-api.md#enable-cors).
+- **Apply rate limiting:** Use [API Management](/azure/api-management/api-management-sample-flexible-throttling) or custom middleware to prevent abuse and denial-of-service attacks.
+- **Hide sensitive endpoints:** Avoid exposing internal or admin APIs in your OpenAPI schema.
+- **Review OpenAPI schema:** Ensure your OpenAPI schema doesn't leak sensitive information (such as internal URLs, secrets, or implementation details).
+- **Keep dependencies updated:** Regularly update NuGet packages and monitor for security advisories.
+- **Monitor and log activity:** Enable logging and monitor access to detect suspicious activity.
+- **Use managed identities:** When calling other Azure services, use managed identities instead of hardcoded credentials.
+
+For more guidance, see [Secure your App Service app](https://learn.microsoft.com/azure/app-service/security-overview) and [Best practices for REST API security](https://learn.microsoft.com/azure/architecture/best-practices/api-design#security).
+
 ## Next step
 
 You've now enabled your App Service app to be used as a tool by Azure AI Foundry Agent Service and interact with your app's APIs through natural language in the agents playground. From here, you can continue add features to your agent in the Foundry portal, integrate it into your own applications using the Azure AI Foundry SDK or REST API, or deploy it as part of a larger solution. Agents created in Azure AI Foundry can be run in the cloud, integrated into chatbots, or embedded in web and mobile apps.