JSON Threat protection

Supported Versions: 10.0 & above

Purpose

This tutorial explain how to configure JSON threat protection rule in API Gateway

JavaScript object notation(JSON) is vulnerable to content level attacks. Such attacks attempt to use huge json files to overwhelm the parser and eventually crash the service.
 
Applying JSON threat protection in API Gateway helps minimize the risk from such attacks by defining few limits on the json structure.

Note: If the value is not specified, system will take the default value of -1 (which means unlimited) 

Property Description
Object entry count Maximum number of entries allowed in an object
Array element count Maximum number of entries allowed in an array
Object entry name length Maximum string length allowed for an objects entry name
String value length Maximum length allowed for a string value
Container depth Maximum allowed nested depth
Applicable content types Content types you want to enable this policy


Below is my json threat protection configuration

Once you define the required values and enable the filter. This gets part of the threat protection rules.

These threat protection rules gets executed only when the request comes from an external port. So define an external port in the apigateway and enable it.

Now if I add one more object to the json request. It should fail as it exceeds our configuration. 

Instead of displaying what has failed, we return a 403 forbidden status and display only the error message we have configured while creating the rule. 

Note: One more interesting feature is the applicable content types. You can have multiple such filters with different content types and different values.

Say for example, you want to allow larger size data for a particular content type. you can do that by creating a different filter with higher values, this way we can selectively allow/restrict payload sizes for different content types.