POST body content parsing

This page contains information about configuring POST body content parsing, an optional feature that you can use with your Google Cloud Armor security policies.

By default, Google Cloud Armor evaluates the full content of a POST body as a uniform string (subject to body size limitations) against the signatures in your preconfigured WAF rules. For requests that contain alternative encoding like JSON, structural components of the message (not user-specified) could trigger matches against the preconfigured WAF signatures. To avoid noise and reduce the risk of false positives, we recommend that you configure Google Cloud Armor to enable alternative parsing for any supported Content-Type if your protected workloads do the following:

  • Serve REST APIs
  • Use GraphQL
  • Receive any requests with JSON encoded content.

You can enable or disable parsing of the JSON body content of POST requests for each security policy. When the Content-Type header is set to application/json, use the --json-parsing flag in the Google Cloud CLI.

By default, this option is disabled. The syntax for the flag is as follows:

--json-parsing=[STANDARD | STANDARD_WITH_GRAPHQL | DISABLED]

The flag is available only with gcloud compute security-policies update. You cannot create a new security policy with this option unless you create a security policy in a file and then import that file. For more information, see Importing security policies.

Use JSON parsing

In the following example, you configure a list of custom Content-Type header values for which alternative parsing is applied. The example updates the security policy POLICY_NAME to enable JSON parsing, and specifies the content types application/json, application/vnd.api+json, application/vnd.collection+json, and application/vnd.hyper+json:

gcloud compute security-policies update POLICY_NAME \
    --json-parsing STANDARD \
    --json-custom-content-types "application/json,application/vnd.api+json,application/vnd.collection+json,application/vnd.hyper+json"

Use GraphQL parsing

To configure GraphQL parsing, update your security policy to set the --json-parsing flag to STANDARD_WITH_GRAPHQL, like in the following example:

gcloud compute security-policies update POLICY_NAME \
    --json-parsing STANDARD_WITH_GRAPHQL

Logging

Each HTTP(S) request that is evaluated against a Google Cloud Armor security policy is logged through Cloud Logging. The logs provide details, such as the name of the applied security policy, the matching rule, and whether the rule was enforced. Request logging for new backend service resources is disabled by default. To ensure that Google Cloud Armor requests are logged, you must enable HTTP(S) logging for each backend service protected by a security policy. For more information, see Global external Application Load Balancer logging and monitoring.

Limitations

Consider the following limitations when configuring JSON parsing:

  • The inspection of the POST body is limited to the first 8 KB. If the JSON content is larger than 8 KB, then Google Cloud Armor applies JSON parsing to the first 8KB of content used that is inspected by any preconfigured WAF rules.
  • If the JSON parser returns no result, URI parsing might be attempted. If the URI parser returns no name-value parameters or only partial name-value parameters, the entire or partial string might be treated as the parameter name for the inspection.

What's next