Creating JSON protection policy
You can configure a JSON protection policy so that FortiWeb will:
- Enforce customizable rules for acceptable JSON contents in HTTP requests, including limits for names, values, depth, and other attributes
- Prevent forbidden JSON entities from making requests
Each policy can contain up to 256 JSON protection rules.
Optionally, policies can also include JSON schema files to describe the acceptable structure of a JSON document that FortiWeb can use to enforce JSON protection policies.
JSON protection policies are enforced by selecting them in an active inline Web Protection Profile.
This section provides instructions to:
- Create a JSON protection policy
- Select a JSON protection policy in a web protection profile
The Content-Type of HTTP requests for JSON protection must be values application/json or text/json . |
To create a JSON protection policy
- Go to JSON Protection > JSON Protection Policy.
- Click Create New.
- For Name, enter a name for the policy. You will use the Name to select the policy in a web protection profile. The maximum length is 63 characters.
- The Signature Detection option is disabled by default. Enable to scan for matches with attack and data leak signatures in JSON data submitted by clients in HTTP requests with Content-Type:
values application/json
ortext/json
. - Click OK.
- To add JSON protection rules to the policy, see To select a JSON protection policy in a web protection profile.
To select a JSON protection policy in a web protection profile
For details about creating a web protection profile, see Configuring a protection profile for inline topologies.
- Go to Policy > Web Protection Profile.
- Select the Inline Protection Profile tab.
- Select an existing web protection profile to which you want to include the JSON protection policy.
- Click Edit.
- For API Protection > JSON Protection, select the JSON protection policy from the drop down list.
Note: To view details about a selected JSON protection policy, click the view icon next to the drop down list.
- Click OK.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.