Enforces restrictions on JSON request bodies to protect against JSON-based attacks and resource exhaustion. Validates against configurable limits to prevent attacks such as:
- Deeply nested JSON structures (billion laughs attack)
- Memory exhaustion from oversized payloads
- Prototype pollution via __proto__ keys in JavaScript backends
- Duplicate key attacks
- jsonProtection:
maxDepth: 20
maxKeyLength: 50
maxObjectSize: 100
maxTokens: 1000
maxStringLength: 1000
maxArraySize: 100
maxSize: 10000
blockProto: true
reportError: true
- jsonProtection:
maxDepth: 20
maxKeyLength: 50
maxObjectSize: 100
maxTokens: 1000
maxStringLength: 1000
maxArraySize: 100
maxSize: 10000
blockProto: true
reportError: true
Syntax
jsonProtection:
blockProto: <boolean>
maxArraySize: <number>
maxDepth: <number>
maxKeyLength: <number>
maxObjectSize: <number>
maxSize: <number>
maxStringLength: <number>
maxTokens: <number>
reportError: <boolean>jsonProtection: blockProto: <boolean> maxArraySize: <number> maxDepth: <number> maxKeyLength: <number> maxObjectSize: <number> maxSize: <number> maxStringLength: <number> maxTokens: <number> reportError: <boolean>
Attributes
| Name | Required | Default | Description | Examples |
|---|---|---|---|---|
| blockProto | false | true | Blocks JSON properties with a key of "__proto__" to avoid prototype pollution in Javascript backends. | - |
| maxArraySize | false | 1000 | Maximum size of JSON arrays. For example, [[1,2],[3,4,5]] has a array size of 2. The nested arrays have sizes of 2 and 3. | - |
| maxDepth | false | 50 | Maximum depth of nested JSON structures. For example, {"a":{"b":{"c":"d"}}} has a depth of 3. | - |
| maxKeyLength | false | 256 | Maximum key length. For example, {"abcd": "efgh123", "ijkl": [ "mnop123" ], "qrst": { "uvwx": 1}} has a maximum key length of 4. (In this example, all 4 strings used as keys effectively have length 4.)The maximum key length also affects strings ("abcd", "ijkl", "qrst" and "uvwx" in the example). The strings can be also limited by the separate property maxStringLength. The stricter limit applies. | - |
| maxObjectSize | false | 1000 | Maximum size of JSON objects. For example, {"a": {"b":"c", "d": "e"}, "f": "g"} has a maximum object size of 2. (In this example, both objects effectively have a size of 2.) | - |
| maxSize | false | 52428800 | Maximum total size of the JSON document in bytes. | - |
| maxStringLength | false | 262144 | Maximum string length. For example, {"abcd": "efgh", "ijkl": [ "mnop" ], "qrst": { "uvwx": 1}} has a maximum string length of 4. (In this example, all 6 strings effectively have length 4.)The maximum string length also affects keys ("abcd", "ijkl", "qrst" and "uvwx" in the example). The keys can be also limited by the separate property maxKeyLength. The stricter limit applies. | - |
| maxTokens | false | 10000 | Maximum number of tokens a JSON document may consist of. For example, {"a":"b"} counts as 3. | - |
| reportError | false | Depends on production configuration. In production mode default is false otherwise true. | Overwrites default error reporting behaviour. If set to true, errors will provide ProblemDetails body, if set to false, errors will throw exceptions resulting in 400 Bad Request responses without any details. | - |