HTTP Limits Policy

Anypoint Security uses the HTTP Limits policy to prevent an attacker from sending large messages that can consume bandwidth and potentially cause performance degradation or denial of service. This policy applies to all the APIs behind your Edge inbound endpoint. You can apply API Gateway policies to each API to enforce other API-specific policies, such as throttling and JSON threat protection.

The HTTP Limits policy limits the size of TCP protocol messages, paths, headers, and footers. This policy does not perform checks on the content of a message.

When you configure a DoS Policy, violations to the HTTP Limits policy escalate as protocol errors.

Prerequisites

To configure and use the security policies, you must:

Have the Anypoint Security - Edge entitlement for your Anypoint Platform account.

If you don’t see Security in Management Center, contact your customer success manager to enable Anypoint Security for your account.
Have Runtime Fabric on VMs/Bare Metal with inbound traffic configured. Anypoint Runtime Fabric is a container service that automates the deployment and orchestration of Mule apps and API gateways.

Refer to the Runtime Fabric documentation.

Runtime Fabric requires the Anypoint Integration Advanced package or a Platinum or Titanium subscription to Anypoint Platform.
Enable inbound traffic on Runtime Fabric to allow Mule apps and API gateways to listen on inbound connections.

Configure an HTTP Limits Policy

You can configure and apply an HTTP Limits policy to increase or decrease default HTTP limits.

Navigate to Anypoint Security, click the Create Policy icon, and select Content Attack Prevention.
Add a name for your policy in the Name field.

Configure the following parameters for your policy:

Value	Description
Maximum Message Size	The default maximum message size allowed is 104857600 bytes. Modify this value based on the requirements of your application by setting the maximum size to a value based on a size your APIs can handle. To prevent attackers from abusing request body checking and exhausting resources, choose the smallest value that satisfies your requirements.
Maximum Path Length	The default maximum path size allowed is 4096 bytes.
Maximum Length Of a Single Header	The default maximum header length allowed for is 16384 bytes.
Maximum Length Of a Single Trailer	The default maximum trailer length allowed is 16384 bytes.
Maximum Number Of Headers and Trailers	The default maximum number of headers and trailers allowed is 32 kB.

Value

Description

Maximum Message Size

The default maximum message size allowed is 104857600 bytes. Modify this value based on the requirements of your application by setting the maximum size to a value based on a size your APIs can handle.

To prevent attackers from abusing request body checking and exhausting resources, choose the smallest value that satisfies your requirements.

Maximum Path Length

The default maximum path size allowed is 4096 bytes.

Maximum Length Of a Single Header

The default maximum header length allowed for is 16384 bytes.

Maximum Length Of a Single Trailer

The default maximum trailer length allowed is 16384 bytes.

Maximum Number Of Headers and Trailers

The default maximum number of headers and trailers allowed is 32 kB.

To allow only specific HTTP methods, add them in the Allowed HTTP Request Methods field.

Valid HTTP methods are: GET, POST, PATCH, HEAD, TRACE, OPTIONS, DELETE, and PUT.
Click Save Policy.

Gartner names MuleSoft a Leader

Unleash the power of Salesforce Customer 360 through integration

Anypoint Platform Fundamentals

MuleSoft at World Tour