JSON Threat Protection Policy

Policy Name

JSON Threat Protection


Protects against malicious JSON in API requests



First Mule version available


Returned Status Codes

400 - Bad Request


Applications processing JSON requests are susceptible to attacks characterized by unusual inflation of elements and nesting levels. Attackers use recursive techniques to consume memory resources. Dramatic swings in the size of the application data often signal a security problem. The JSON Threat Protection policy helps protect your applications from such intrusions.

If you find that attacks on your Anypoint Platform setup are difficult to detect, design your services architecture with layers of protection in addition to JSON Threat Protection.

Configuring Policy Parameters

Flex Gateway Local Mode

The JSON Threat Protection policy is not supported in Flex Gateway Local Mode.

Flex Gateway Connected Mode

The JSON Threat Protection policy is not supported in Flex Gateway Connected Mode.

Mule Gateway

When you apply the JSON Threat Protection policy to your API from the UI, the following parameters are displayed:





Maximum Container Depth

Specifies the maximum nested depth. JSON allows you to nest the containers (object and array) in any order to any depth



Maximum String Value Length

Specifies the maximum length of a string value



Maximum Object Entry Name Length

Specifies the maximum string length of an object’s entry name



Maximum Object Entry Count

Specifies the maximum number of entries in an object



Maximum Array Element Count

Specifies the maximum number of elements in an array



A value of -1 indicates that the field value has no limits.


The following screenshot shows an example of the parameters configured for the JSON Threat Protection policy:

json threat policy

Was this article helpful?

💙 Thanks for your feedback!

Submit your feedback!
Share your thoughts to help us build the best documentation experience for you!
Take our latest survey!