Skip to main content
Feedback

Usage

Review the following considerations when configuring the XML Threat Protection policy.

  • This policy supports only pre-processing, so the Pre-processing field must be configured for this policy to function.

  • It enforces XML payload limits on element count, nesting depth, document length, attribute count, and text value length to block external entities.

  • External entity resolution is disabled (allowExternalEntities=false) by default. Only enable allowExternalEntities=true if your backend explicitly requires external entity resolution, as this exposes the gateway to XXE injection.

  • It protects against entity expansion attacks (Billion Laughs), where recursive entity references cause exponential memory consumption.

  • It is useful for APIs that need OWASP API Security alignment for API4:2023 (Unrestricted Resource Consumption) and API10:2023 (Unsafe Consumption of APIs).

  • The policy is optimized for minimal memory usage when processing XML payloads, even under high request volumes.

Chaining with other policies

You can combine the XML Threat Protection policy with other processors on a single endpoint using Mashery_Proxy_Processor_Chain. To configure a chain on the Call Transformation page, enter the adapter identifiers as a comma-separated list in the processors key. For each adapter's individual configuration parameters, use the format <processor-name>.<config-name>: <config-value>.

Example

Data to make available for pre-processing

The following is an example value for Data to make available for pre-processing field. It chains the XML Threat Protection policy with the Regex Threat Protection policy:

processors: com.mashery.proxy.protection.xml-threat-protection,com.mashery.proxy.protection.regex-threat-protection
com.mashery.proxy.protection.xml-threat-protection.maxDepth: 10
com.mashery.proxy.protection.xml-threat-protection.maxElements: 200
com.mashery.proxy.protection.xml-threat-protection.allowExternalEntities: false
com.mashery.proxy.protection.regex-threat-protection.regex: .*(?i)(SELECT|DROP|UNION).*
com.mashery.proxy.protection.regex-threat-protection.checkBody: true

Refer to Chaining Processors for a full overview of chaining types and adapter compatibility.

On this Page