This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Clarification on content type for Threat Protect policies

Posted on 01-08-2020 08:58 PM
vamsipabbisetty
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

As part of Threat protection policies we have implemented both Json & XML policies. But these are executed only if content type (either application/Json or application/xml) is provided as part of request. Client can send the request with out content-type explicitly. Hence do we need to make content types are mandatory or any other technical suggestion on this for implementation

Solved Solved
0 2 179
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
kurtkanaskie
Staff
Reply posted on --/--/---- --:-- AM

Hi @vamsi pabbisetty,

To be precise, you need to add some conditional logic to ensure the requests have a valid content-type header.

For example, if you support both json and xml you could use something like:

    <Step>
        <Condition>(request.header.content-type != "application/json") and (request.header.content-type != "application/xml")</Condition>
        <Name>RF-InvalidContentType</Name>
    </Step>
    <Step>
        <Condition>request.header.content-type == "application/json"</Condition>
        <Name>TP-JSON</Name>
    </Step>
    <Step>
        <Condition>request.header.content-type == "application/xml"</Condition>
        <Name>TP-XML</Name>
    </Step>

Hope that helps.

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
kurtkanaskie
Staff
Reply posted on --/--/---- --:-- AM

Hi @vamsi pabbisetty,

To be precise, you need to add some conditional logic to ensure the requests have a valid content-type header.

For example, if you support both json and xml you could use something like:

    <Step>
        <Condition>(request.header.content-type != "application/json") and (request.header.content-type != "application/xml")</Condition>
        <Name>RF-InvalidContentType</Name>
    </Step>
    <Step>
        <Condition>request.header.content-type == "application/json"</Condition>
        <Name>TP-JSON</Name>
    </Step>
    <Step>
        <Condition>request.header.content-type == "application/xml"</Condition>
        <Name>TP-XML</Name>
    </Step>

Hope that helps.

Jump to Solution

Posted on --/--/---- --:-- AM
vamsipabbisetty
Bronze 1
Bronze 1
In response to kurtkanaskie
Reply posted on --/--/---- --:-- AM

Hi @Kurt Googler Kanaskie,

Thanks for your inputs. We thought there will be Apigee proxy level setting to mandate content -types since this is common behaviour across all API's. Now we have to go with implementation as you suggested

Jump to Solution
0 Likes