Request body content parsing

This page contains information about configuring request body content parsing, an optional feature that you can use with your Cloud Armor security policies.

By default, Cloud Armor evaluates the full content of a request body as a uniform string (subject to body size limitations) against the signatures in your preconfigured WAF rules. For requests that contain alternative encoding like JSON, structural components of the message (not user specified) can trigger matches against the preconfigured WAF signatures. To avoid noise and reduce the risk of false positives, we recommend that you configure Cloud Armor to enable alternative parsing for any supported content type if your protected workloads do the following:

  • Serve REST APIs
  • Use GraphQL
  • Receive any requests with JSON encoded content.

For each security policy, you can enable or disable JSON parsing for request bodies. When the Content-Type header is set to application/json, use the --json-parsing flag in the Google Cloud CLI.

By default, this option is disabled. The syntax for the flag follows:

--json-parsing=[STANDARD | STANDARD_WITH_GRAPHQL | DISABLED]

The flag is available only with gcloud compute security-policies update. You cannot create a new security policy with this option unless you create a security policy in a file and then import that file. For more information, see Import security policies.

Use JSON parsing

In the following example, you configure a list of custom Content-Type header values for which alternative parsing is applied. The example updates the security policy POLICY_NAME to enable JSON parsing, and specifies the content types application/json, application/vnd.api+json, application/vnd.collection+json, and application/vnd.hyper+json:

 gcloud compute security-policies update POLICY_NAME \ --json-parsing STANDARD \ --json-custom-content-types "application/json,application/vnd.api+json,application/vnd.collection+json,application/vnd.hyper+json" 

Use GraphQL parsing

To configure GraphQL parsing, update your security policy to set the --json-parsing flag to STANDARD_WITH_GRAPHQL:

 gcloud compute security-policies update POLICY_NAME \ --json-parsing STANDARD_WITH_GRAPHQL 

Logging

Each HTTP(S) request that is evaluated against a Cloud Armor security policy is logged through Cloud Logging. The logs provide details, such as the name of the applied security policy, the matching rule, and whether the rule was enforced. Request logging for new backend service resources is disabled by default. To log Cloud Armor requests, you must enable the HTTP(S) logging setting for each backend service protected by a security policy. For more information, see Global external Application Load Balancer logging and monitoring.

Limitations

Consider the following limitations when configuring JSON parsing:

  • Cloud Armor inspects the HTTP POST body up to the first 8 kB by default. You can configure this limit to either 8 kB, 16 kB, 32 kB, 48 kB, or 64 kB. If the JSON content is larger than the configured inspection limit, then Cloud Armor applies JSON parsing up to this limit, which is then inspected by any of the preconfigured WAF rules.

    For more information about configuring the inspection limit for the request body when using preconfigured WAF rules, see POST and PATCH body inspection limitation.

  • If the JSON parser returns no result, URI parsing might be attempted. If the URI parser returns no name-value parameters or only partial name-value parameters, the entire or partial string might be treated as the parameter name for the inspection.

What's next