Azure Front Door WAF should scan POST requests with content-type multipart
At the moment the Azure Front Door WAF does not scan for XSS threats when the request going through FD is of content-type multipart. This was advised this is the case by the Microsoft Support team. For example, if I send the following request through Azure Front Door with OWASP DefaultRuleSet enabled on its WAF:
content-type: multipart/form-data; boundary=----WebKitFormBoundaryriZKfNGOPKHI8rWO
The WAF does not detect the XSS threat simply because of the content-type.
This is fundamental to have in a service dedicated to protect backend systems. I am conscious this is currently being worked, however what is the ETA?