Azure Application Gateway WAF Mode Increase Limit on SecRequestBodyLimit
When we have the WAF set to prevention mode some of our HTTP post are denied with code 413.
Request body no files data length is larger than the configured limit (131072).. Deny with code (413)
Can you make these two settings configurable on the WAF?
Thanks for your feedback. This is planned as part of global waf configurable parameters.
Oussama or anyone else - would you be able to share how to bypass this error without disabling "inspect body"?
This is very important
i found a way to bypass this error without disabling the "inspect body", but would be nice if Microsoft added some configurable parameters in next updates
Please can this be added
Scott LaFave commented
Can we please have an update to this? It's been planned sine 2018. It's a showstopper from a security standpoint. Even path-based exclusions would be a major improvement, if the size cannot be increased globally yet.
Please update this subject
Sasha Golin commented
Can we have an update on the status of this from the Azure Networking Team?
Chris C commented
The limit still exists in 2020. I thought I had it all wrong reading forums from 2018 trying to figure out what my issue was
2MB would be nice?
2 years later ... update please!
Also - FYI .. the new Application Gateway WAF Policy (Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies) has similar behavior - BUT responds with an HTTP 500 instead of 413. AND you cannot disable body, it has no impact on this rule firing and blocking traffic!
Request body contained a field longer than the limit (20480 bytes)
UPDATE - microsoft has fixed the new Application Gateway WAF Policy issue where 20480 body limit even with disable body. So at least you can still get header checking while waiting for this to become configurable.
Justin T commented
Just ran into this problem as well. Had to disable body inspection and that is a terrible compromise!
Joost Groot commented
It's such a waste to disable "Inspect Request body". But I have to since a Microsoft part of viewstate has a larger body then 128K and I just cant use it with the WAF else.
Atleast the headers and cookies are still checked.
Please Microsoft. This feature is set to Planned (april 6, 2018). Is there any indication one when it's active?
This is also impacting our ability to manage our website via CMS.
Please increase the 128K max limit.
Please increase the upper limit of 128K.
It is useless at this time.
At the very least --
1) Can exclusions (such as __VIEWSTATE) not count towards the 128KB limit
2) Can custom rules that allow traffic not count towards the 128KB limit OR the 500MB filesize limit?
Peter Lorenzen commented
We have spend so much time to get Application Gateway working. It is not a very good product. The size limit was the last straw. Now we are going to use an Apache http server on a VM instead. We should have done that from the start. We would have save so much money... :-(
This is a showstopper for us too. Our client app may post a sizable request to a SOAP web service (not a file upload). The request size may grow up to tens of Megabytes. We could disable the rule check for a particular path using a WAF Policy custom rule - alas, the request size check is a global mandatory rule that can only be disabled along with the "entire firewall".
The protection from the OWASP Top 10 vulnerabilities is the main reason why we have implemented the Application Gateway with our ERP Suite. Now, we cannot enable the protection.
It's understood why Microsoft is "limiting the request size configurable limit" to a relatively small value of 128kb - performance concerns. OK, please let us completely exclude a particular path from the WAF processing - so the request size check was also disabled.
Thank you for your attention to this issue!
Sujesh Arukil commented
why a max of 128 kb in the first place? if nothing else, it could be at least 1 MB
Increase message body limit beyond 128kb
Timothy Lee Russell commented
Thanks for letting us know that there is a fix in the works.
Any update on when we might expect the fix to this blocking issue? (Pun intended, I suppose.)
Jeremy Burke commented
We also had to disable WAF until these parameters are released.
Tomasz S commented
Could you let us know when this will be added? because of that limit we had to disable WAF