Usage

Review the following considerations when configuring the JSON Threat Protection policy.

• This policy supports only pre-processing, so the Pre-processing field must be configured for this policy to function.

• It enforces JSON payload limits on nesting depth, object entries, array sizes, and key/value lengths.

• It helps protect your APIs against payload-amplification attacks that exploit deep recursion or excessive entries (analogous to "Billion Laughs" attacks adapted for JSON).

• It is useful for APIs that need OWASP API Security alignment for API4:2023 (Unrestricted Resource Consumption) and API10:2023 (Unsafe Consumption of APIs).

• The policy is optimized for minimal memory usage and efficiently processes request bodies, even under high request volumes.

Chaining with other policies

You can combine the JSON Threat Protection policy with other processors on a single endpoint using Mashery_Proxy_Processor_Chain. To configure a chain on the Call Transformation page, enter the adapter identifiers as a comma-separated list in the processors key. For each adapter's individual configuration parameters, use the format <processor-name>.<config-name>: <config-value>.

Example

Data to make available for pre-processing

The following is an example value for Data to make available for pre-processing field. It chains the JSON Threat Protection policy with the Regex Threat Protection policy:

processors: com.mashery.proxy.protection.json-threat-protection,com.mashery.proxy.protection.regex-threat-protection
com.mashery.proxy.protection.json-threat-protection.maxDepth: 10
com.mashery.proxy.protection.json-threat-protection.maxArraySize: 50
com.mashery.proxy.protection.regex-threat-protection.regex: .*(?i)(SELECT|DROP|UNION).*
com.mashery.proxy.protection.regex-threat-protection.checkBody: true

Refer to Chaining Processors for a full overview of chaining types and adapter compatibility.