Closed sbe-arg closed 1 year ago
Got this email.
_We are reaching out to request that you inspect your AWS WAF (Web Application Firewall) rules and apply a size restraint rule, or define oversize handling behavior, by October 1, 2022.
With AWS WAF, customers can configure rules that allow, block, captcha, or monitor (count) web requests based on conditions they define. These conditions include IP addresses, HTTP headers, HTTP body, URI strings, SQL injection and cross-site scripting. When customers enable AWS WAF for CloudFront, Application Load Balancer, API Gateway or AppSync, only the first 8 KB of the request body are forwarded to AWS WAF for inspection. The 8 KB limit helps maintain high WAF performance and low latency, even during conditions of exceptional load. However, some bypass attempts intentionally put data towards the end of large (> 8 KB) requests. If your application does not expect requests greater than 8 KB in size, you can prevent them from passing through with a WAF size constraint rule statement. This will result in large requests being denied._
Don't like the sound of that.
Same here. Any solutions?
merged here https://github.com/awslabs/aws-waf-security-automations/pull/222 although pr opened and merged without approval by the same contributor seems like poor practice.
Would be good to add some sort of oversize handler.
https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html