Enable the JSON Threat Protection plugin on a Route to enforce payload limits and reject violating requests.
This is a Konnect tutorial and requires a Konnect personal access token.
Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
Export your token to an environment variable:
export KONNECT_TOKEN='YOUR_KONNECT_PAT'
Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-output
This sets up a Konnect Control Plane named quickstart, provisions a local Data Plane, and prints out the following environment variable exports:
export DECK_KONNECT_TOKEN=$KONNECT_TOKEN
export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart
export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
export KONNECT_PROXY_URL='http://localhost:8000'
Copy and paste these into your terminal to configure your session.
This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.
Export your license to an environment variable:
export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'
Run the quickstart script:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA
Once Kong Gateway is ready, you will see the following message:
Kong Gateway Ready
decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial, install decK version 1.43 or later.
This guide uses deck gateway apply, which directly applies entity configuration to your Gateway instance.
We recommend upgrading your decK installation to take advantage of this tool.
You can check your current decK version with deck version.
For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:
Run the following command:
echo '
_format_version: "3.0"
services:
- name: example-service
url: http://httpbin.konghq.com/anything
routes:
- name: example-route
paths:
- "/anything"
service:
name: example-service
' | deck gateway apply -
To learn more about entities, you can read our entities documentation.
Configure the JSON Threat Protection plugin on the example-route Route to set limits on the contents of incoming request bodies.
In the following example, we enable the plugin in block mode, which will reject any requests that don’t conform to the policy,
and instead respond with a 400 error and the message Incorrect request format:
echo '
_format_version: "3.0"
plugins:
- name: json-threat-protection
route: example-route
config:
max_body_size: 1024
max_container_depth: 2
max_object_entry_count: 4
max_object_entry_name_length: 7
max_array_element_count: 2
max_string_value_length: 6
enforcement_mode: block
error_status_code: 400
error_message: Incorrect request format
' | deck gateway apply -
Let’s make a valid request. The following request conforms to the policy that we just created:
curl -i -X POST "$KONNECT_PROXY_URL/anything" \
-H "Content-Type: application/json" \
--json '{
"name": "Jason",
"age": 20,
"gender": "male",
"parents": [
"Joseph",
"Viva"
]
}'
curl -i -X POST "http://localhost:8000/anything" \
-H "Content-Type: application/json" \
--json '{
"name": "Jason",
"age": 20,
"gender": "male",
"parents": [
"Joseph",
"Viva"
]
}'
You should get a 200 response, and the request gets proxied to the upstream service.
Now, try a request with a payload that doesn’t conform to the policy:
curl -i -X POST "$KONNECT_PROXY_URL/anything" \
-H "Content-Type: application/json" \
--json '{
"name": "Jason",
"age": 20,
"gender": "male",
"parents": [
"Antonio",
"Viva"
]
}'
curl -i -X POST "http://localhost:8000/anything" \
-H "Content-Type: application/json" \
--json '{
"name": "Jason",
"age": 20,
"gender": "male",
"parents": [
"Antonio",
"Viva"
]
}'
In this case, the string Antonio is longer than the maximum allowed string length of 6, so the request is blocked.
The plugin returns a 400 response and the message Incorrect request format.
If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d
How can I enable a JSON threat protection policy without blocking non-conforming requests?
You can enable the JSON Threat Protection plugin in tap mode by setting config.enforcement_mode to log_only.
In tap mode, the plugin still inspects the JSON body but only logs warnings instead of blocking violations, and still proxies the request to the upstream service.