—Rate this article—
 

JSON Threat Protection policy

 JSON Threat Protection policy

About | Element reference | Error codes | Schemas | Usage notes | Related topics

What

Minimizes the risk posed by content-level attacks by enabling you to specify limits on various JSON structures, such as arrays and strings.

Where

This policy can be attached in the following locations.

ProxyEndpoint TargetEndpoint
    PreFlow Flow PostFlow PreFlow Flow PostFlow    
Request    
    Response
    PostFlow Flow PreFlow PostFlow Flow PreFlow    

Element reference

The element reference describes the elements and attributes of the JSONThreatProtection policy.

<JSONThreatProtection async="false" continueOnError="false" enabled="true" name="JSON-Threat-Protection-1">
   <DisplayName>JSON Threat Protection 1</DisplayName>
   <ArrayElementCount>20</ArrayElementCount>
   <ContainerDepth>10</ContainerDepth>
   <ObjectEntryCount>15</ObjectEntryCount>
   <ObjectEntryNameLength>50</ObjectEntryNameLength>
   <Source>request</Source>
   <StringValueLength>500</StringValueLength>
</JSONThreatProtection>

<JSONThreatProtection> attributes

<JSONThreatProtection async="false" continueOnError="false" enabled="true" name="JSON-Threat-Protection-1"> 
Attribute Description Default Presence
async

Set to true to specify that the policy should be run in a thread pool different than the pool servicing the request/response flow. Default is false.

Note: This setting is only used for for internal optimization. Contact Apigee support at the Support Portal for more information.

false Optional
continueOnError

Most policies are expected to return an error when a failure occurs (for example, when a Quota is exceeded). By setting this attribute to true, Flow execution continues on failure.

false Optional
enabled Determines whether a policy is enforced or not. If set to false, a policy is 'turned off', and not enforced (even though the policy remains attached to a Flow). true Optional
name

The internal name of the policy. Characters you can use in the name are restricted to: A-Z0-9._\-$ %. However, the Edge management UI enforces additional restrictions, such as automatically removing characters that are not alphanumeric.

Optionally, use the <DisplayName> element to label the policy in the management UI proxy editor with a different, natural-language name.

N/A Required

<DisplayName> element

A natural-language name that labels the policy in the management UI proxy editor. If omitted, the policy name attribute is used.

<DisplayName>Custom label used in UI</DisplayName>
Default: Policy name attribute value.
Presence: Optional
Type: String

<ArrayElementCount> element

Specifies the maximum number of elements allowed in an array.

<ArrayElementCount>20</ArrayElementCount>
Default: If you do not specify a limit, the system applies a default value of -1, which the system equates to no limit.
Presence: Optional
Type: Integer

<ContainerDepth> element

Specifies the maximum allowed nested depth.

<ContainerDepth>10</ContainerDepth>
Default: If you do not specify a limit, the system applies a default value of -1, which the system equates to no limit.
Presence: Optional
Type: Integer

<ObjectEntryCount> element

Specifies the maximum number of entries allowed in an object.

<ObjectEntryCount>15</ObjectEntryCount>
Default: If you do not specify a limit, the system applies a default value of -1, which the system equates to no limit.
Presence: Optional
Type: Integer

<ObjectEntryNameLength> element

Specifies the maximum string length allowed for an object's entry name.

<ObjectEntryNameLength>50</ObjectEntryNameLength>
Default: If you do not specify a limit, the system applies a default value of -1, which the system equates to no limit.
Presence: Optional
Type: Integer

<Source> element

Message to be screened for JSON payload attacks. This is most commonly set to request, as you will typically need to validate inbound requests from client apps. When set to message, this element will automatically evaluate the request message when attached to the request flow and the response message when attached to the response flow.

<Source>request</Source>
Default: request
Presence: Optional
Type:

String.

Valid values: request, response, or message.

<StringValueLength> element

Specifies the maximum length allowed for a string value.

<StringValueLength>500</StringValueLength>
Default: If you do not specify a limit, the system applies a default value of -1, which the system equates to no limit.
Presence: Optional
Type: Integer

Error codes

The default format for error codes returned by Policies is:

{
  "code" : " {ErrorCode} ",
  "message" : " {Error message} ",
  "contexts" : [ ]
}

The JSONThreatProtection Policy types defines the following error codes:

Error Code Message
ExceededContainerDepth JSONThreatProtection[{0}]: Exceeded container depth at line {1}
ExceededObjectEntryCount JSONThreatProtection[{0}]: Exceeded object entry count at line {1}
ExceededArrayElementCount JSONThreatProtection[{0}]: Exceeded array element count at line {1}
ExceededObjectEntryNameLength JSONThreatProtection[{0}]: Exceeded object entry name length at line {1}
ExceededStringValueLength JSONThreatProtection[{0}]: Exceeded string value length at line {1}
SourceUnavailable JSONThreatProtection[{0}]:: Source {1} is not available
NonMessageVariable JSONThreatProtection[{0}]: Variable {1} does not resolve to a Message
ExecutionFailed JSONThreatProtection[{0}]: Execution failed. reason: {1}

Schemas

See our GitHub repository samples for the most recent schemas.

Usage notes

Like XML-based services, APIs that support JavaScript object notation (JSON) are vulnerable to content-level attacks. Simple JSON attacks attempt to use structures that overwhelm JSON parsers to crash a service and induce application-level denial-of-service attacks. All settings are optional and should be tuned to optimize your service requirements against potential vulnerabilities.

Related topics

JSON to XML policy

XML Threat Protection policy

Regular Expression Protection policy

 

Help or comments?

  • Something's not working: See Apigee Support
  • Something's wrong with the docs: Click Send Feedback in the lower right.
    (Incorrect? Unclear? Broken link? Typo?)