JSON Threat Protection

Release date 2026/04/07

Feature

• Added support for allow_non_json_requests configuration to allow non-JSON requests to bypass all checks.

Release date 2025/03/27

Feature

• Added the schema field allow_duplicate_object_entry_name to allow or disallow duplicate object keys in JSON payloads. When set to false, the plugin will reject JSON payloads with duplicate object keys. The default value is true, which is same as the previous behavior.

Bugfix

• This plugin now accurately supports proxying for non-POST/PUT/PATCH requests.

Release date 2024/12/12

Bugfix

• Fixed an issue where the length counting of escape sequences, non-ASCII characters, and object entry names in JSON Strings was incorrect; now using UTF-8 character count instead of bytes.

• Fixed an issue where certain default parameter values were incorrectly interpreted as 0 in some environments (e.g., ARM64-based):

  • max_container_depth
  • max_object_entry_count
  • max_object_entry_name_length
  • max_array_element_count
  • max_string_value_length

Release date 2024/11/04

Bugfix

• Fixed an issue where the length counting of escape sequences, non-ASCII characters, and object entry names in JSON Strings was incorrect; now using UTF-8 character count instead of bytes.

• Fixed an issue where certain default parameter values were incorrectly interpreted as 0 in some environments (e.g., ARM64-based):

  • max_container_depth
  • max_object_entry_count
  • max_object_entry_name_length
  • max_array_element_count
  • max_string_value_length

Release date 2024/09/11

Feature

• Added JSON threat protection plugin. Validates JSON nesting depth, array elements, object entries, key length, and string length. Logs or terminates violating requests.