How do I handle WAF Size Constraint rules?

Hello,

AWS WAF does not support inspecting very large contents for the body and cannot inspect >8KB of body of a request. To immediately block an oversized request (>8KB) without inspecting, you can use the Match option in the rule with action set to Block.

With Continue option, request will be inspected normally according to the rule inspection criteria only within the size limitations (8KB).

https://docs.aws.amazon.com/waf/latest/developerguide/web-request-body-inspection.html

Another option to block oversized request is using AWS Managed Rule groups where the managed rule group - Core Rule Set (CRS) blocks the request over 8KB.

https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-crs

Hello AWS Customer,

First of all, as you know, AWS WAF does not support inspecting very large contents for the body, headers, or cookies request components.[1]

The limitations are as follows:

• Body and JSON Body – You can inspect the first 8 KB (8,192 bytes) of the body of a request.
• Headers – You can inspect at most the first 8 KB (8,192 bytes) of the request headers and at most the first 200 headers. The content is available for inspection by AWS WAF up to the first limit reached.
• Cookies – You can inspect at most the first 8 KB (8,192 bytes) of the request cookies and at most the first 200 cookies. The content is available for inspection by AWS WAF up to the first limit reached.

For these components, you provide oversize handling instructions when you define your rule statement. Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits.

The options for oversize handling are the following:

• Continue – Inspect the request component normally according to the rule inspection criteria. AWS WAF will inspect the request component contents that are within the size limitations.
• Match – Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request without evaluating it against the rule's inspection criteria.
• No match – Treat the web request as not matching the rule statement, without evaluating it against the rule's inspection criteria. AWS WAF continues its inspection of the web request using the rest of the rules in the web ACL, like it would do for any non-matching rule.

If you use the "Match" option in a rule with the action set to "Block", the rule will "block" a request where the component type is oversized. With other configurations, the final disposition of the request depends on various factors, such as the configuration of the other rules in your web ACL and the web ACL's default action setting.

Hope you will find this information useful. Please let me know if you have any further questions or concerns. We will be more than glad to assist you.

I hope you are always healthy and have a nice day.