JSS (Next.js) GraphQL Azure web Application Firewall issues

[SemionMcAlice]

Description

We use next.js JSS library. Whenever we run graphQL queries against our Sitecore CD instance behind an Azure Web Application Firewall they get blocked. when we run the same query in postman without the newline (\n) charachters and whitespaces, it succeeds. These are identified as SQL Injection Attack, Windows Command Injection, SQL Injection Attack Detected via libinjection by the WAF.

Expected behavior

Graph QL queries succeed through WAF

Steps To Reproduce

any next.js Jss application, when connecting to Sitecore through an Azure web application Firewall.

Possible Fix

A possible solution would be to add a graphQL minifier, either library or self coded. example library https://github.com/drwpow/gqlmin the main point is to remove all the whitespaces and new line charachters.

Your Environment

• Sitecore Version: 10.1.2
• JSS Version: 20.0.3
• Browser Name and version: Any Browser
• Operating System and version (desktop or mobile): both
• Link to your project (if available):

Screenshots

[SemionMcAlice]

On further investigation and testing, the minification wouldn't solve all the firewall rules. the only workaround at this point is to add a firewall exclusion.