This page applies to Apigeeand Apigee hybrid.
View Apigee Edge
documentation.
What
Minimizes the risk posed by content-level attacks by enabling you to specify limits on various JSON structures, such as arrays and strings.
This policy is an Extensible policy and use of this policy might have cost or utilization implications, depending on your Apigee license. For information on policy types and usage implications, see Policy types .
Video:Watch a short video to learn more about how the JSONThreatProtection policy enables you to secure APIs against content-level attacks.
Video:Check out this short video on the Apigee cross-cloud API platform.
Element reference
The element reference describes the elements and attributes of the JSONThreatProtection policy.
<JSONThreatProtection async="false" continueOnError="false" enabled="true" name="JSON-Threat-Protection-1"> <DisplayName>JSONThreatProtection 1</DisplayName> <ArrayElementCount>20</ArrayElementCount> <ContainerDepth>10</ContainerDepth> <ObjectEntryCount>15</ObjectEntryCount> <ObjectEntryNameLength>50</ObjectEntryNameLength> <Source>request</Source> <StringValueLength>500</StringValueLength> </JSONThreatProtection>
<JSONThreatProtection> attributes
<JSONThreatProtection async="false" continueOnError="false" enabled="true" name="JSON-Threat-Protection-1">
The following table describes attributes that are common to all policy parent elements:
name
The internal name of the policy. The value of the name
attribute can
contain letters, numbers, spaces, hyphens, underscores, and periods. This value cannot
exceed 255 characters.
Optionally, use the <DisplayName>
element to label the policy in
the management UI proxy editor with a different, natural-language name.
continueOnError
Set to false
to return an error when a policy fails. This is expected
behavior for most policies.
Set to true
to have flow execution continue even after a policy
fails. See also:
enabled
Set to true
to enforce the policy.
Set to false
to turn off
the policy. The policy will not be
enforced even if it remains attached to a flow.
async
This attribute is deprecated.
<DisplayName> element
Use in addition to the name
attribute to label the policy in the
management UI proxy editor with a different, natural-language name.
<DisplayName>Policy Display Name</DisplayName>
| Default | N/A If you omit this element, the value of the policy's |
|---|---|
| Presence | Optional |
| Type | String |
<ArrayElementCount> element
Specifies the maximum number of elements allowed in an array.
<ArrayElementCount>20</ArrayElementCount>
| Default: | If you do not specify this element, or if you specify a negative integer, the system does not enforce a limit. |
|---|---|
| Presence: | Optional |
| Type: | Integer |
<ContainerDepth> element
Specifies the maximum allowed containment depth, where the containers are objects or arrays. For example, an array containing an object which contains an object would result in a containment depth of 3.
<ContainerDepth>10</ContainerDepth>
| Default: | If you do not specify this element, or if you specify a negative integer, the system does not enforce any limit. |
|---|---|
| Presence: | Optional |
| Type: | Integer |
<ObjectEntryCount> element
Specifies the maximum number of entries allowed in an object.
<ObjectEntryCount>15</ObjectEntryCount>
| Default: | If you do not specify this element, or if you specify a negative integer, the system does not enforce any limit. |
|---|---|
| Presence: | Optional |
| Type: | Integer |
<ObjectEntryNameLength> element
Specifies the maximum string length allowed for a property name within an object.
<ObjectEntryNameLength>50</ObjectEntryNameLength>
| Default: | If you do not specify this element, or if you specify a negative integer, the system does not enforce a limit. |
|---|---|
| Presence: | Optional |
| Type: | Integer |
<Source> element
Message to be screened for JSON payload attacks. This is most commonly set to request
, as you will typically need to validate inbound requests from client apps.
When set to message
, this element will automatically evaluate the request message
when attached to the request flow and the response message when attached to the response
flow.
<Source>request</Source>
| Default: | request |
| Presence: | Optional |
| Type: | String. Valid values: request, response, or message. |
<StringValueLength> element
Specifies the maximum length allowed for a string value.
<StringValueLength>500</StringValueLength>
| Default: | If you do not specify this element, or if you specify a negative integer, the system does not enforce a limit. |
|---|---|
| Presence: | Optional |
| Type: | Integer |
Error reference
This section describes the fault codes and error messages that are returned and fault variables that are set by Apigee when this policy triggers an error. This information is important to know if you are developing fault rules to handle faults. To learn more, see What you need to know about policy errors and Handling faults .
Runtime errors
These errors can occur when the policy executes.
steps.jsonthreatprotection.ExecutionFailed
500
JSONThreatProtection
policy can throw many different types of ExecutionFailed
errors.
Most of these errors occur when a specific threshold set in the policy is exceeded. These
types of errors include: object entry name length
, object entry count
, array element count
, container depth
, string string value length
.
This error also occurs when the payload contains an invalid JSON object
.steps.jsonthreatprotection.SourceUnavailable
500
<Source>
element is either: - Out of scope (not available in the specific flow where the policy is being executed)
- Is not one of the valid values
request,response, ormessage
Deployment errors
None.
Fault variables
These variables are set when this policy triggers an error. For more information, see What you need to know about policy errors .
| Variables | Where | Example |
|---|---|---|
fault.name=" fault_name
"
|
fault_name is the name of the fault, as listed in the Runtime errors table above. The fault name is the last part of the fault code. | fault.name Matches "SourceUnavailable"
|
jsonattack. policy_name
.failed
|
policy_name is the user-specified name of the policy that threw the fault. | jsonattack.JTP-SecureRequest.failed = true
|
Example error response
{
"fault": {
"faultstring": "JSONThreatProtection[JPT-SecureRequest]: Execution failed. reason: JSONThreatProtection[JTP-SecureRequest]: Exceeded object entry name length at line 2",
"detail": {
"errorcode": "steps.jsonthreatprotection.ExecutionFailed"
}
}
}
Example fault rule
<FaultRule name="JSONThreatProtection Policy Faults">
<Step>
<Name>AM-CustomErrorResponse</Name>
<Condition>(fault.name Matches "ExecutionFailed") </Condition>
</Step>
<Condition>(jsonattack.JPT-SecureRequest.failed = true) </Condition>
</FaultRule>
Schemas
Usage notes
Like XML-based services, APIs that support JavaScript object notation (JSON) are vulnerable to content-level attacks. Simple JSON attacks attempt to use structures that overwhelm JSON parsers to crash a service and induce application-level denial-of-service attacks. All settings are optional and should be tuned to optimize your service requirements against potential vulnerabilities.
