Azure Application Gateway WAF Mode Increase Limit on SecRequestBodyLimit
When we have the WAF set to prevention mode some of our HTTP post are denied with code 413.
Request body no files data length is larger than the configured limit (131072).. Deny with code (413)
Can you make these two settings configurable on the WAF?
Thanks for your feedback. This is planned as part of global waf configurable parameters.
This feature is very necessary. I hope it will be implemented as soon as possible!
please give an update on this one.
disabling the body inspection is really not an option, and if we have to add a custom rule, there is also a limit of 100 custom rules.
Brian Young commented
This is pretty critical for legacy webforms applications with _viewstate... :(
Michał Leśniewski commented
2 years in planned status...
Please, increase this limit or give possibility to exclude per URI.
Christian Pouchoulen commented
Wondering if anybody was able to make it work without disabling the body inspection? We have all the rules in the waf and need to consume an API and send json content > than the limit. Xould you help?
I was able to solve it by adding one "Web Application Firewall" then attached it to your gateway. Then add a custom rule with MatchType=String, MatchVariable=RequestUri , then Contains=/your/UriPath to match and then add an Action = Allow.
This rule should have a lower number(higher priority) if you have other rules blocking the request.
give possibility to the customer to change the http2 header sizes.
Rhett Blach commented
I would also love to know how you can get around this without disabling body inspection. I can't seem to find any mention of how to do this anywhere.
Krishna Gummuluri commented
This is what we need (based on NGINX WAF)
Request size checks - Upper limit of request size as dictated by the maximum buffer size of 10 MB; Size checks for: URL, header, Query String, whole request (when smaller than the maximum buffer), cookie, POST data. By default all the checks are enabled with the exception of POST data and whole request. The user can enable or disable every check and customize the size limits.
Oussama or anyone else - would you be able to share how to bypass this error without disabling "inspect body"?
This is very important
i found a way to bypass this error without disabling the "inspect body", but would be nice if Microsoft added some configurable parameters in next updates
Please can this be added
Scott LaFave commented
Can we please have an update to this? It's been planned sine 2018. It's a showstopper from a security standpoint. Even path-based exclusions would be a major improvement, if the size cannot be increased globally yet.
Please update this subject
Sasha Golin commented
Can we have an update on the status of this from the Azure Networking Team?
Chris C commented
The limit still exists in 2020. I thought I had it all wrong reading forums from 2018 trying to figure out what my issue was
2MB would be nice?
2 years later ... update please!
Also - FYI .. the new Application Gateway WAF Policy (Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies) has similar behavior - BUT responds with an HTTP 500 instead of 413. AND you cannot disable body, it has no impact on this rule firing and blocking traffic!
Request body contained a field longer than the limit (20480 bytes)
UPDATE - microsoft has fixed the new Application Gateway WAF Policy issue where 20480 body limit even with disable body. So at least you can still get header checking while waiting for this to become configurable.
Justin T commented
Just ran into this problem as well. Had to disable body inspection and that is a terrible compromise!
Joost Groot commented
It's such a waste to disable "Inspect Request body". But I have to since a Microsoft part of viewstate has a larger body then 128K and I just cant use it with the WAF else.
Atleast the headers and cookies are still checked.
Please Microsoft. This feature is set to Planned (april 6, 2018). Is there any indication one when it's active?
This is also impacting our ability to manage our website via CMS.
Please increase the 128K max limit.