- policyRef: name: json-threat-protection-flex config: maxContainerDepth: <int> // OPTIONAL maxObjectEntryCount: <int> // OPTIONAL maxObjectEntryNameLength: <int> // OPTIONAL maxArrayElementCount: <int> // OPTIONAL maxStringValueLength: <int> // OPTIONAL
JSON Threat Protection Policy
Policy Name |
JSON Threat Protection |
Summary |
Protects against malicious JSON in API requests |
Category |
Security |
First Flex Gateway version available |
v1.4.0 |
Returned Status Codes |
400 - Bad Request |
Summary
Applications processing JSON requests are susceptible to attacks characterized by unusual inflation of elements and nesting levels. Attackers use recursive techniques to consume memory resources. Dramatic swings in the size of the application data often signal a security problem. The JSON Threat Protection policy helps protect your applications from such intrusions.
If you find that attacks on your Anypoint Platform setup are difficult to detect, design your services architecture with layers of protection in addition to JSON Threat Protection.
Configuring Policy Parameters
Flex Gateway Local Mode
In Local Mode, you apply the JSON Threat Protection policy to your API via declarative configuration files. Refer to the following policy definition and table of parameters:
Parameter | Required or Optional | Default Value | Description |
---|---|---|---|
|
Optional |
-1 |
Specifies the maximum nested depth. JSON allows you to nest the containers (object and array) in any order to any depth. Specifying -1 indicates that the field value has no limits. |
|
Optional |
-1 |
Specifies the maximum number of entries in an object. Specifying -1 indicates that the field value has no limits. |
|
Optional |
-1 |
Specifies the maximum string length of an object’s entry name. Specifying -1 indicates that the field value has no limits. |
|
Optional |
-1 |
Specifies the maximum number of elements in an array. Specifying -1 indicates that the field value has no limits. |
|
Optional |
-1 |
Specifies the maximum string value length. Specifying -1 indicates that the field value has no limits. |
Flex Gateway Connected Mode
When you apply the JSON Threat Protection policy to your API from the UI, the following parameters are displayed:
Field |
Description |
Default |
Required |
Maximum Container Depth |
Specifies the maximum nested depth. JSON allows you to nest the containers (object and array) in any order to any depth |
-1 |
false |
Maximum String Value Length |
Specifies the maximum length of a string value |
-1 |
false |
Maximum Object Entry Name Length |
Specifies the maximum string length of an object’s entry name |
-1 |
false |
Maximum Object Entry Count |
Specifies the maximum number of entries in an object |
-1 |
false |
Maximum Array Element Count |
Specifies the maximum number of elements in an array |
-1 |
false |
A value of -1 indicates that the field value has no limits. |
Payload Example
If your payload contains the following example JSON:
{ "Players":[ { "Name":"Sachin", "Email":"sachin.tendulkar@example.com" }, { "Name":"Suryakumar", "email":"Surya@example.com" }, { "Name":"Bhuvi", "email":"bhuvi@example.com" }, { "Name":"Jonty", "Email":"jonty@example.com" } ] }
The policy defines the example parameter values as follows:
Parameter | Value | Explanation |
---|---|---|
Maximum Container Depth |
3 |
The depth of the |
Maximum String Value Length |
28 |
The length of |
Maximum Object Entry Name Length |
7 |
The length of the |
Maximum Object Entry Count |
2 |
The number of entries in each |
Maximum Array Element Count |
4 |
The number of elements in the |