Skip to main content
Feedback

JSON Threat Protection Policy

The JSON Threat Protection policy protects your APIs against malicious JSON payloads by validating the limits specified in the JSON request structure, including array sizes, field names, and string values. When a payload exceeds any configured structural limit, the policy rejects the request with a 400 status code and a relevant response string.

Description

  • Configured limits apply to JSON object entry count, array size, nesting depth, and property name and value lengths.

  • When any configured limit is exceeded, the gateway blocks the request and returns a 400 response. The backend does not receive the request.

  • The following conditions trigger a rejection:

    • The JSON payload is malformed or syntactically invalid.

    • A JSON object contains more entries than the configured maxEntries limit.

      For example, if maxEntries is set to 5 and an incoming object has 6 key-value pairs, the policy rejects the request.

    • A JSON array contains more elements than the configured maxArraySize limit.

      For example, if maxArraySize is set to 10 and an incoming array has 11 elements, the policy rejects the request.

    • The JSON nesting depth exceeds the configured maxDepth limit.

    • A property name exceeds the configured maxNameLength character limit.

    • A property value exceeds the configured maxValueLength character limit.

On this Page