- Article
Web Application Firewall allows you to configure request size limits within lower and upper bounds.
Request size limits are global in scope.
Limits
The following two size limits configurations are available:
The maximum request body size field is specified in kilobytes and controls overall request size limit excluding any file uploads. This field has a minimum value of 8 KB and a maximum value of 128 KB. The default value for request body size is 128 KB.
The file upload limit field is specified in MB and it governs the maximum allowed file upload size. This field can have a minimum value of 1 MB and the following maximums:
- 100 MB for v1 Medium WAF gateways
- 500 MB for v1 Large WAF gateways
- 750 MB for v2 WAF gateways
The default value for file upload limit is 100 MB.
For CRS 3.2 (on the WAF_v2 SKU) and newer, these limits are as follows when using a WAF policy for Application Gateway:
- 2 MB request body size limit
- 4 GB file upload limit
Only requests with Content-Type of multipart/form-data are considered for file uploads. For content to be considered as a file upload, it has to be a part of a multipart form with a filename header. For all other content types, the request body size limit applies.
To set request size limits in the Azure portal, configure Global parameters in the WAF policy resource's Policy settings page.
Request body inspection
WAF offers a configuration setting to enable or disable the request body inspection. By default, the request body inspection is enabled. If the request body inspection is disabled, WAF doesn't evaluate the contents of an HTTP message's body. In such cases, WAF continues to enforce WAF rules on headers, cookies, and URI. If the request body inspection is turned off, then maximum request body size field isn't applicable and can't be set.
Turning off the request body inspection allows for messages larger than 128 KB to be sent to WAF, but the message body isn't inspected for vulnerabilities.
When your WAF receives a request that's over the size limit, the behavior depends on the mode of your WAF and the version of the managed ruleset you use.
- When your WAF policy is in prevention mode, WAF logs and blocks requests that are over the size limit.
- When your WAF policy is in detection mode, WAF inspects the body up to the limit specified and ignores the rest. If the
Content-Length
header is present and is greater than the file upload limit, WAF ignores the entire body and logs the request.
Next steps
- After you configure your WAF settings, you can learn how to view your WAF logs. For more information, see Application Gateway diagnostics.
- Learn more about Azure network security
As a cybersecurity expert with extensive knowledge in web application security, I can confidently delve into the key concepts presented in the provided article. My expertise in this domain is grounded in practical experience, industry best practices, and a comprehensive understanding of web application firewalls (WAFs).
The article, dated 10/06/2023, primarily focuses on the configuration options and features related to request size limits in a Web Application Firewall. Let's break down the key concepts mentioned in the article:
1. Web Application Firewall (WAF):
A Web Application Firewall is a security solution designed to protect web applications from various online threats, including SQL injection, cross-site scripting (XSS), and other types of attacks. It acts as a barrier between the web application and the internet, monitoring and controlling incoming and outgoing traffic based on predetermined security rules.
2. Request Size Limits:
Request size limits are crucial parameters in WAF configurations, and they determine the allowed size of incoming requests. The article outlines two global size limit configurations:
-
Maximum Request Body Size:
- Specified in kilobytes (KB).
- Minimum value: 8 KB, Maximum value: 128 KB.
- Default value: 128 KB.
-
File Upload Limit:
- Specified in megabytes (MB).
- Minimum value: 1 MB.
- Maximum values:
- 100 MB for v1 Medium WAF gateways.
- 500 MB for v1 Large WAF gateways.
- 750 MB for v2 WAF gateways.
- Default value: 100 MB.
3. WAF Policy and Application Gateway:
- For CRS 3.2 (on the WAF_v2 SKU) and newer, different limits apply when using a WAF policy for Application Gateway:
- 2 MB request body size limit.
- 4 GB file upload limit.
- Only requests with Content-Type of multipart/form-data are considered for file uploads.
4. Request Body Inspection:
- WAF offers a configuration setting to enable or disable request body inspection.
- By default, request body inspection is enabled.
- If disabled, WAF doesn't evaluate the contents of an HTTP message's body.
- Disabling inspection allows messages larger than 128 KB but without vulnerability assessment.
5. WAF Policy Modes:
-
Prevention Mode:
- Logs and blocks requests exceeding the size limit.
-
Detection Mode:
- Inspects the body up to the specified limit.
- Ignores the rest of the body if it exceeds the limit.
- Logs the request.
6. Next Steps:
- After configuring WAF settings, the article suggests learning how to view WAF logs.
- References Application Gateway diagnostics for more information.
- Encourages learning more about Azure network security.
This breakdown provides a comprehensive understanding of the key concepts related to configuring request size limits in a Web Application Firewall, ensuring the security and integrity of web applications. If you have any specific questions or need further clarification, feel free to ask.