JSON Threat Protection Policy in MuleSoft

JSON Threat Protection Policy in MuleSoft is a protection policy for the APIs to defend them from miscellaneous HTTP requests which are inflated to bring down the APIs server. For example, a request can contain an inflated request in which they can increase the JSON depth, object name and values, and array length, which may result in memory or performance issues. Therefore, such requests should be denied at the entry-level only.

This policy usually defines the proper structure for the JSON request we will receive, e.g., Depth, Object name and value length, and Array size.

Steps to implement the JSON Threat Policy:

1. Select the JSON THREAT POLICY, and it’s a version from the Apply New Policy in the API Manager.

2. Configure the various properties:

• Maximum Container Depth – Specifies the maximum nested depth. JSON allows you to nest the containers (object and array) in any order to any depth
• Maximum String Value Length – Specifies the maximum length of a string
• Maximum Object Entry Name Length – Specifies the maximum string length of an object’s entry name
• Maximum Object Entry Count – Specifies the maximum number of entries in an object
• Maximum Array Element Count – Specifies the maximum number of elements in an array

3. Now when we make a post request an error message is being shown, depicting that wrong properties are being passed according to the configured policy.

4. We need to set the properties in the following way:

• Maximum Container Depth – 3 – which is root -> address -> (addressLine1, addressLine2, city, state,zipCode, country)
• Maximum String Value Length – 15 – e.g. max length value in JSON – molly@mue.com
• Maximum Object Entry Name Length – 12 – maximum string length of an object’s entry name in JSON – addressLine1
• Maximum Object Entry Count – -1 – Specifies that there can be n number of entries in an object.
• Maximum Array Element Count – 2

{
  "customerID": "1fe1c22",
  "firstName": "Molly",
  "lastName": "Mule",
  "displayName": "Molly ",
  "address": {
    "addressLine1": "123 Street",
    "addressLine2": "Apt.#3D",
    "city": "San Francisco",
    "state": "California",
    "zipCode": "94110",
    "country": "United States"
  },
  "phone": "415-000-0000",
  "email": "molly@mue.com",
  "ssn": "321-654-0987",
  "dateOfBirth": "1990-09-04"
}

5. Now give the post request and we are able to access the API.

Thanks for reading, find more MuleSoft best practices at Caelius Consulting Resource Centre.