Fortinet black logo

User Guide

JSON Protection

Copy Link
Copy Doc ID 2ffc9903-bcb4-11e9-8977-00505692583a:547499
Download PDF

JSON Protection

JSON is a lightweight data-interchange format, and attackers may try to exploit sensitive information in JSON code to attack web servers.

If your API interfaces are implemented using JSON API, you can configure JSON protection rules to define and enforce acceptable JSON content.

To create a JSON protection rule

  1. Go to API Protection > JSON PROTECTION.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. Click +Create JSON Protection Rule.
  3. Configure these settings.

    Name

    Enter a name for the JSON protection rule.

    Request URL

    Type the URL used to match requests, such as /upload.php, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).

    Notes: For those requests whose URLs don't match with the Request URL, FortiWeb Cloud will not apply JSON Validation rule on them.

    JSON Limits

    Enable to use the following default limits for data size, key, and value, etc.

    • Key size: 512 Bytes
    • Key number: 1024
    • Value size: 10240 Bytes
    • Value number: 1024
    • Value number in array: 1024
    • Object depth: 1028

    Schema Validation

    Enable to import JSON schema files to check JSON contents in HTTP requests.

    The JSON schema file defines JSON data structure and the valid JSON data contents.

    Make sure the schema file doesn't contain any structural error, otherwise the JSON Protection Rule will not take effect.

    Schema File

    Upload an acceptable JSON schema file.

    Available only when Schema Validation is enabled.

  4. Click OK.
  5. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
    To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.

    Alert

    Accept the request and generate an alert email and/or log message.

    Alert & Deny

    Block the request (or reset the connection) and generate an alert email and/or log message.

    Deny(no log)

    Block the request (or reset the connection).

  6. Click SAVE.

JSON Protection

JSON is a lightweight data-interchange format, and attackers may try to exploit sensitive information in JSON code to attack web servers.

If your API interfaces are implemented using JSON API, you can configure JSON protection rules to define and enforce acceptable JSON content.

To create a JSON protection rule

  1. Go to API Protection > JSON PROTECTION.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. Click +Create JSON Protection Rule.
  3. Configure these settings.

    Name

    Enter a name for the JSON protection rule.

    Request URL

    Type the URL used to match requests, such as /upload.php, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).

    Notes: For those requests whose URLs don't match with the Request URL, FortiWeb Cloud will not apply JSON Validation rule on them.

    JSON Limits

    Enable to use the following default limits for data size, key, and value, etc.

    • Key size: 512 Bytes
    • Key number: 1024
    • Value size: 10240 Bytes
    • Value number: 1024
    • Value number in array: 1024
    • Object depth: 1028

    Schema Validation

    Enable to import JSON schema files to check JSON contents in HTTP requests.

    The JSON schema file defines JSON data structure and the valid JSON data contents.

    Make sure the schema file doesn't contain any structural error, otherwise the JSON Protection Rule will not take effect.

    Schema File

    Upload an acceptable JSON schema file.

    Available only when Schema Validation is enabled.

  4. Click OK.
  5. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
    To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.

    Alert

    Accept the request and generate an alert email and/or log message.

    Alert & Deny

    Block the request (or reset the connection) and generate an alert email and/or log message.

    Deny(no log)

    Block the request (or reset the connection).

  6. Click SAVE.