sbe-arg
commented
1 year ago Got this email.
_We are reaching out to request that you inspect your AWS WAF (Web Application Firewall) rules and apply a size restraint rule, or define oversize handling behavior, by October 1, 2022.
With AWS WAF, customers can configure rules that allow, block, captcha, or monitor (count) web requests based on conditions they define. These conditions include IP addresses, HTTP headers, HTTP body, URI strings, SQL injection and cross-site scripting. When customers enable AWS WAF for CloudFront, Application Load Balancer, API Gateway or AppSync, only the first 8 KB of the request body are forwarded to AWS WAF for inspection. The 8 KB limit helps maintain high WAF performance and low latency, even during conditions of exceptional load. However, some bypass attempts intentionally put data towards the end of large (> 8 KB) requests. If your application does not expect requests greater than 8 KB in size, you can prevent them from passing through with a WAF size constraint rule statement. This will result in large requests being denied._
Don't like the sound of that.
btmndkh
Would be good to add some sort of oversize handler.
https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html