Supported Versions: 10.0 & above
Purpose
This tutorial explain how to configure JSON threat protection rule in API Gateway
JavaScript object notation(JSON) is vulnerable to content level attacks. Such attacks attempt to use huge json files to overwhelm the parser and eventually crash the service.
Applying JSON threat protection in API Gateway helps minimize the risk from such attacks by defining few limits on the json structure.
Note: If the value is not specified, system will take the default value of -1 (which means unlimited)
Property | Description |
Object entry count | Maximum number of entries allowed in an object |
Array element count | Maximum number of entries allowed in an array |
Object entry name length | Maximum string length allowed for an objects entry name |
String value length | Maximum length allowed for a string value |
Container depth | Maximum allowed nested depth |
Applicable content types | Content types you want to enable this policy |
Below is my json threat protection configuration
Once you define the required values and enable the filter. This gets part of the threat protection rules.
These threat protection rules gets executed only when the request comes from an external port. So define an external port in the apigateway and enable it.
Now if I add one more object to the json request. It should fail as it exceeds our configuration.
Instead of displaying what has failed, we return a 403 forbidden status and display only the error message we have configured while creating the rule.
Note: One more interesting feature is the applicable content types. You can have multiple such filters with different content types and different values.
Say for example, you want to allow larger size data for a particular content type. you can do that by creating a different filter with higher values, this way we can selectively allow/restrict payload sizes for different content types.