Azure Application Gateway WAF Mode Increase Limit on SecRequestBodyLimit
When we have the WAF set to prevention mode some of our HTTP post are denied with code 413.
Request body no files data length is larger than the configured limit (131072).. Deny with code (413)
Can you make these two settings configurable on the WAF?
Thanks for your feedback. This is planned as part of global waf configurable parameters.
Scott LaFave commented
Can we please have an update to this? It's been planned sine 2018. It's a showstopper from a security standpoint. Even path-based exclusions would be a major improvement, if the size cannot be increased globally yet.
Please update this subject
Sasha Golin commented
Can we have an update on the status of this from the Azure Networking Team?
Chris C commented
The limit still exists in 2020. I thought I had it all wrong reading forums from 2018 trying to figure out what my issue was
2MB would be nice?
2 years later ... update please!
Also - FYI .. the new Application Gateway WAF Policy (Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies) has similar behavior - BUT responds with an HTTP 500 instead of 413. AND you cannot disable body, it has no impact on this rule firing and blocking traffic!
Request body contained a field longer than the limit (20480 bytes)
Justin T commented
Just ran into this problem as well. Had to disable body inspection and that is a terrible compromise!
Joost Groot commented
It's such a waste to disable "Inspect Request body". But I have to since a Microsoft part of viewstate has a larger body then 128K and I just cant use it with the WAF else.
Atleast the headers and cookies are still checked.
Please Microsoft. This feature is set to Planned (april 6, 2018). Is there any indication one when it's active?
This is also impacting our ability to manage our website via CMS.
Please increase the 128K max limit.
Please increase the upper limit of 128K.
It is useless at this time.
At the very least --
1) Can exclusions (such as __VIEWSTATE) not count towards the 128KB limit
2) Can custom rules that allow traffic not count towards the 128KB limit OR the 500MB filesize limit?
Peter Lorenzen commented
We have spend so much time to get Application Gateway working. It is not a very good product. The size limit was the last straw. Now we are going to use an Apache http server on a VM instead. We should have done that from the start. We would have save so much money... :-(
This is a showstopper for us too. Our client app may post a sizable request to a SOAP web service (not a file upload). The request size may grow up to tens of Megabytes. We could disable the rule check for a particular path using a WAF Policy custom rule - alas, the request size check is a global mandatory rule that can only be disabled along with the "entire firewall".
The protection from the OWASP Top 10 vulnerabilities is the main reason why we have implemented the Application Gateway with our ERP Suite. Now, we cannot enable the protection.
It's understood why Microsoft is "limiting the request size configurable limit" to a relatively small value of 128kb - performance concerns. OK, please let us completely exclude a particular path from the WAF processing - so the request size check was also disabled.
Thank you for your attention to this issue!
Sujesh Arukil commented
why a max of 128 kb in the first place? if nothing else, it could be at least 1 MB
Increase message body limit beyond 128kb
Timothy Lee Russell commented
Thanks for letting us know that there is a fix in the works.
Any update on when we might expect the fix to this blocking issue? (Pun intended, I suppose.)
Jeremy Burke commented
We also had to disable WAF until these parameters are released.
Tomasz S commented
Could you let us know when this will be added? because of that limit we had to disable WAF
Is this now implemented? Because the status is still planned I would also like to see that the message body could be bigger then 128KB
We desperately need to be able to configure the limit of the message body to be bigger than 128KB (131072). We run off-the-shelf software that cannot be changed to respect this limit. One exaplle is DotNetNuke/Evoq, where the Admin interface use a lot of XHR requests which break the size limit.
As far as I understand, this is now implemented, but the maximum limit is 128KB. This is still to low for some applications. We have COTS software that generetes POST request with large _VIEWSTATE that gets blocked with 413 ModSecurity Action. Please raise the max value.