Was this helpful?

Like XML-based services, APIs that support JavaScript object notation (JSON) are vulnerable to content-level attacks. Simple JSON attacks attempt to use structures that overwhelm JSON parsers to crash a service and induce application-level denial-of-service attacks.

The JSONThreatProtection policy minimizes the risk posed by such attacks by enabling you to specify limits on various JSON structures, such as arrays and strings. All settings are optional and should be tuned to optimize your service requirements against potential vulnerabilities.

Note: If a limit is not specified, the system applies a default value of -1 (the system equates a negative value to no limit).

Configuring the JSON Threat Protection policy

Configure the JSON Threat Protection policy using the following elements.

Field Name Description
Source Request that needs to be validated for JSON payload attacks.
Container depth Specifies the maximum allowed nested depth.
JSON allows you to nest the containers (object and array) in any order to any depth.
Object entry count Specifies the maximum number of entries allowed in an object.
Object entry name length Specifies the maximum string length allowed for an object's entry name.
Array element count Specifies the maximum number of elements allowed in an array.
String value length Specifies the maximum length allowed for a string value.

Example - JSON Threat Protection policy

<JSONThreatProtection name="mypolicy">

Policy-specific error codes

The default format for error codes returned by Policies is:

  "code" : " {ErrorCode} ",
  "message" : " {Error message} ",
  "contexts" : [ ]

The JSOThreatProtection Policy types defines the following error codes:

Error Code Message
ExceededContainerDepth JSONThreatProtection[{0}]: Exceeded container depth at line {1}
ExceededObjectEntryCount JSONThreatProtection[{0}]: Exceeded object entry count at line {1}
ExceededArrayElementCount JSONThreatProtection[{0}]: Exceeded array element count at line {1}
ExceededObjectEntryNameLength JSONThreatProtection[{0}]: Exceeded object entry name length at line {1}
ExceededStringValueLength JSONThreatProtection[{0}]: Exceeded string value length at line {1}
SourceUnavailable JSONThreatProtection[{0}]:: Source {1} is not available
NonMessageVariable JSONThreatProtection[{0}]: Variable {1} does not resolve to a Message
ExecutionFailed JSONThreatProtection[{0}]: Execution failed. reason: {1}

Policy schema

Each policy type is defined by an XML schema (.xsd). For reference, policy schemas are available on GitHub.


Provide your email address if you wish to be contacted offline about your comment.
We will not display your email address as part of your comment.

We'd love your feedback and perspective! Please be as specific as possible.
Type the characters you see in this picture. (verify using audio)

Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.