JsonThreatProtection
This policy enables you to reduce the risk of content-level attack by specifying
limits on various JSON structures, such as arrays and strings.
This policy executes only if the content type header is set to json.
Example
In this example, a header is set for a request.
<jsonThreat xmlns="http://www.infor.com/ion/api"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
name="jsonThreat-example" displayName="jsonThreat-example" enabled="true" version="1.0">
<arrayElementCount>255</arrayElementCount>
<containerDepth>5</containerDepth>
<objectEntryCount>100</objectEntryCount>
<objectEntryNameLength>25</objectEntryNameLength>
<stringValueLength>25</stringValueLength>
</jsonThreat>
Configuration
| Element name | Default | Presence | Type | Multiplicity |
|---|---|---|---|---|
| arrayElementCount | n/a | Optional | integer | 1 |
| containerDepth | n/a | Optional | integer | 1 |
| objectEntryCount | n/a | Optional | integer | 1 |
| objectEntryNameLength | n/a | Optional | integer | 1 |
| stringValueLength | n/a | Optional | integer | 1 |
<jsonThreat> attributes
<header name="jsonThreat-example" displayName="jsonThreat-example" enabled="true" version="1.0">| Field name | Description | Default | Presence |
|---|---|---|---|
| name | Name of this policy instance. | N/A | Required |
| displayName | Optional | ||
| enabled | Indicates if a policy is enforced or not. If set to false, a policy is turned off, and not enforced. | true | Optional |
| version | Policy version. | N/A | Required |
<arrayElementCount> element
Optional element that indicates the maximum number of elements allowed in an array.
<arrayElementCount>255</arrayElementCount><containerDepth> element
Optional element that indicates the maximum allowed nested depth.
<objectEntryCount>100</objectEntryCount><objectEntryCount> element
Optional element that indicates the maximum number of entries allowed in an object.
<objectEntryNameLength>25</objectEntryNameLength><objectEntryNameLength> element
Optional element that indicates the maximum string length allowed for an object's entry name.
<objectEntryNameLength>25</objectEntryNameLength><stringValueLength> element
Optional element that indicates the maximum length allowed for a string value.
<stringValueLength>25</stringValueLength>