XML Threat Protection Policy Configuration Values
The following configuration values can be defined while configuring the XML Threat Protection policy on the Call Transformation page:
note
- Only pre-processing is applicable for this policy. Post-processing is not applicable.
- Setting a limit to -1 disables that check, allowing selective structural protection.
| Field name | Type | Field Value | Required/Optional | Description |
|---|---|---|---|---|
| Processing Adapter | String | com.mashery.proxy.protection.xml-threat-protection | Required | Adapter that validates XML request bodies against configured structural limits and rejects threats with HTTP 400. |
| Perform Pre-processing | Boolean | Enabled / Disabled | Required | When enabled, the policy inspects the XML request body before forwarding the request to the backend. |
| Data to make available for pre-processing (PreInput Values) | Map | |||
Integer (-1 to specify no limit) | maxElements | Optional | The maximum number of elements allowed in an XML document. For example, <root><a>1</a><b></b></root> has three elements. Default: 1000. | |
Integer (-1 to specify no limit) | maxDepth | Optional | Maximum nesting depth of the XML structure. For example, <root><a><b>1</b></a></root> has a depth of two. Default: 100. | |
Integer (-1 to specify no limit) | maxLength | Optional | The maximum number of characters allowed for the entire XML document. Default: 1000. | |
Integer (-1 to specify no limit) | maxAttributesPerElement | Optional | The maximum number of attributes allowed for a single XML element. Default: 100. | |
Integer (-1 to specify no limit) | maxAttributeValueLength | Optional | The maximum length of individual attribute values. Default: 100. | |
Integer (-1 to specify no limit) | maxChildrenPerElement | Optional | The maximum number of child elements allowed for a given element. For example, <root><a><b>1</b><c>2</c></a></root> — element a has two children. Default: 100. | |
Integer (-1 to specify no limit) | maxTextValueLength | Optional | The maximum length of individual text node values. Default: 100. | |
Integer (-1 to specify no limit) | maxEntities | Optional | The maximum number of entity expansions allowed. XML entities are a type of macro and are vulnerable to entity expansion attacks. Default: 100. | |
Integer (-1 to specify no limit) | maxEntityDepth | Optional | Maximum depth of nested entity expansions allowed. Default: 100. | |
| Boolean | allowExternalEntities | Optional | Whether to allow the inclusion of external entities. Note: XML is vulnerable to XXE injection, so only enable this if your backend explicitly requires external entity resolution. Default: false. |
Configuration Steps
Refer to Configuring Call Transformation for an Endpoint for more information on the configuration steps.
