Thread protection policy documentation in section [Threat protection error configuration]

faijahmad
Participant V

JSON Documentation URL : JSON Thread Protection

In this thread protection error configuration says for request that it will return "500 status code" for invalid message

** Request: With a threat protection policy attached to any request flow, invalid messages return a 500 status code, along with a corresponding policy error message.

While

XML Documentation URL :XML Thread Protection

In this thread protection error configuration says for request that it will return "400 status code" for invalid message

** Request: With a threat protection policy attached to any request flow, invalid messages return a 400 status code, along with a corresponding policy error message.

Is this right or some documentation typo ?

Solved Solved
0 5 249
1 ACCEPTED SOLUTION

Hi @Faij Ahmad,

I confirmed that the JSON Threat Protection always returns a 500 Internal Server Error, whether the policy is on the request or response flow. Therefore, the documentation was correct; however, the JSON Threat doc was a little misleading, suggesting that you can set an org property called isPolicyBasedHttpStatusEnabled to affect the error codes that are returned. That was not correct. The JSON policy never checks that flag. I removed that part of the documentation.

On the other hand, the XML Threat Protection policy DOES check that org property, and the error responses (HTTP Status and Error code) ARE affected depending on that org property's setting. I added notes to the XML Threat doc to make this behavior more clear, and you can read the details in the doc.

Thanks for raising this issue. I hope this answer is satisfactory.

Best regards,

Will

View solution in original post

5 REPLIES 5

faijahmad
Participant V

@Floyd Jones

can you please take a look on this too ?

@wwitman, mind taking a look at this? Thanks!

I'm trying to confirm the doc content and will update here as soon as possible.

Hi @Faij Ahmad,

I confirmed that the JSON Threat Protection always returns a 500 Internal Server Error, whether the policy is on the request or response flow. Therefore, the documentation was correct; however, the JSON Threat doc was a little misleading, suggesting that you can set an org property called isPolicyBasedHttpStatusEnabled to affect the error codes that are returned. That was not correct. The JSON policy never checks that flag. I removed that part of the documentation.

On the other hand, the XML Threat Protection policy DOES check that org property, and the error responses (HTTP Status and Error code) ARE affected depending on that org property's setting. I added notes to the XML Threat doc to make this behavior more clear, and you can read the details in the doc.

Thanks for raising this issue. I hope this answer is satisfactory.

Best regards,

Will

Thank you @wwitman