Design and Implementation
Sequence Diagram
The following diagram illustrates the request flow when the XML Threat Protection policy is configured on an API endpoint.
Implementation Details
The policy processes each inbound request through the following steps:
-
The policy inspects the
Content-Typerequest header (text/xml,application/xml, or any media type ending in+xml(including SOAP services)). If the content type is not XML-compatible (for example,application/json), the request is forwarded to the backend. -
The policy reads the full request body. If the body is empty or absent, it treats it as valid and forwards it to the backend.
-
If
allowExternalEntitiesisfalse(the default) and the XML document contains an external entity reference, the request is immediately rejected with a400 XML External Entity Reference Encounterederror. -
The policy parses the XML body and validates it gainst the configured structural limits -
maxElements,maxDepth,maxLength,maxAttributesPerElement,maxAttributeValueLength,maxChildrenPerElement,maxTextValueLength,maxEntities,maxEntityDepth. -
If any configured limit is exceeded, the request is rejected with
400status code and message identifying the violated constraint. For example,Max XML Depth Exceeded. -
If a configuration value is invalid or non-numeric, the default value is used to prevent requests from being blocked caused by misconfiguration.
-
If all checks pass, the request is forwarded to the backend.
Error Messages
When the policy detects a structural violation, it rejects the request immediately with a 400 status code and the corresponding status message.
| Code | HTTP status message | Reason |
|---|---|---|
| 400 | Invalid XML Data | The request body is not valid XML. |
| 400 | Max XML Elements Exceeded | The configured maxElements limit has been exceeded. |
| 400 | Max XML Depth Exceeded | The configured maxDepth limit has been exceeded. |
| 400 | Max XML Document Length Exceeded | The configured maxLength limit has been exceeded. |
| 400 | Max XML Attribute Count Exceeded | The configured maxAttributesPerElement limit has been exceeded. |
| 400 | Max XML Attribute Size Exceeded | The configured maxAttributeValueLength limit has been exceeded. |
| 400 | Max XML Child Element Count Exceeded | The configured maxChildrenPerElement limit has been exceeded. |
| 400 | Max XML Text Size Exceeded | The configured maxTextValueLength limit has been exceeded. |
| 400 | Max XML Entity Expansion Count Exceeded | The configured maxEntities limit has been exceeded. |
| 400 | Max XML Entity Expansion Depth Exceeded | The configured maxEntityDepth limit has been exceeded. |
| 400 | XML External Entity Reference Encountered | An external entity reference was detected and allowExternalEntities is set to false. |
