JSONThreatProtection policy executing for Content-Type application/xml

The APIGEE documentation for JSONThreatProtection policy states that "This policy executes only if the Content-Type of the request or response header is set to application/json.

I have some APIs that accept content types xml and json and when I sent an request with Content-Type of application/xml, from the trace it looks like the JSONThreatProtection policy did get invoked and it was not skipped.

Though the policy itself didn't face an execution error, it still makes me concerned to see that it was not skipped.

What is happening in this policy execution when the content type is xml? Is it default apigee behaviour not to show skipped for this policy?

(and vice versa for XMLThreatProtection policy).

0 3 324
3 REPLIES 3

My guess is that the policy executes, but does nothing.... If you're concerned about this, you can always add a condition to your flow, so that the policy executes only if content-type is application/json

Yes, the policy executes, and the check for the content-type is within the policy. If the content-type is not application/json (or similar) then the policy does nothing. It executes, but does nothing.

I suppose the documentation is slightly inaccurate in this regard, although it's close to the same thing.

The same is true for the XMLThreatProtection policy.

Not applicable

it executes. but I would suggest to add these policies with condition. For application/json content-type use JSON threat protection and for application/xml , XML threat protection.