Web request body inspection - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Web request body inspection

For rules that inspect the web request body, AWS WAF can inspect the first 8 KB (8,192 bytes), but not beyond. Only the first 8 KB of the request body are forwarded to AWS WAF for inspection, but the entire request body is sent to your protected resource when a web request is allowed.

This can affect your AWS WAF web request inspection in the following situations:

  • When you write a rule for AWS WAF that inspects the request component Body or JSON body. For information about specifying a request component in a rule, see AWS WAF rules and Web request component settings.

  • When you use a managed rule group with a rule that inspects the request body. For information about which AWS Managed Rules inspect the request body, see AWS Managed Rules rule groups list. For information about which AWS Marketplace rules inspect the request body, ask your rule group provider.

To manage this limitation, configure your web ACL and rules to avoid unintentionally allowing bodies that are over 8 KB based on the inspection of only the first 8 KB.

The way that you manage this in your web ACL depends on factors such as how large you need to allow the request body to be, your web ACL's default request handling, and how your body inspection rules act on matching requests. The following are general guidelines:

  • If you need to allow some requests with body size over 8 KB, add a rule that explicitly allows only those requests. You will not be able to use AWS WAF to inspect the body contents of these requests beyond the 8 KB limit.

  • For all other requests, prevent any additional bytes from passing through with a size constraint rule that blocks request bodies over 8 KB. For information about size constraint statements, see Size constraint rule statement.

  • For the requests that aren't blocked by the size constraint rule, inspect the request body as needed. This inspection will be based on the entire contents of the web request body.

To block web request bodies over 8 KB before inspecting the body

  1. When you create or edit your web ACL, in the rules settings, choose Add rules, Add my own rules and rule groups, Rule builder, then Rule visual editor. For guidance creating or editing a web ACL, see Working with web ACLs.

  2. Enter a name for your rule, and leave the Type setting at Regular rule.

  3. Change the following match settings from their defaults:

    1. On Statement, for Inspect, open the dropdown and choose the web request component Body.

    2. For Match type, choose Size greater than.

    3. For Size, type 8192.

  4. For Action, select Block.

  5. Choose Add rule.

  6. After you add the rule, on the Set rule priority page, move your size constraint rule above any rules or rule groups in your web ACL that have web request body inspection. This gives the size constraint rule a lower priority setting. AWS WAF evaluates rules in order of priority, starting from the lowest numeric setting, so it will enforce the size constraint before inspecting the request body.

If you need to allow bodies that are larger than 8 KB for some requests, add a rule that explicitly allows those requests and prioritize it to run in your web ACL before your size constraint rule.