Zuplo
Security & Validation

Request Validation Policy

The Request Validation policy is used to validate incoming requests based on schemas in OpenAPI specifications.

When configured, any requests that do not conform to your OpenAPI schema will be rejected with a 400: Bad Request response containing a detailed error message (in JSON) explaining why the request was not accepted.

Configuration

The configuration shows how to configure the policy in the 'policies.json' document.

{
  "name": "my-request-validation-inbound-policy",
  "policyType": "request-validation-inbound",
  "handler": {
    "export": "RequestValidationInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "includeRequestInLogs": false,
      "logLevel": "info",
      "validateBody": "reject-and-log",
      "validateHeaders": "none",
      "validatePathParameters": "log-only",
      "validateQueryParameters": "log-only"
    }
  }
}
json

Policy Configuration

  • name <string> - The name of your policy instance. This is used as a reference in your routes.
  • policyType <string> - The identifier of the policy. This is used by the Zuplo UI. Value should be request-validation-inbound.
  • handler.export <string> - The name of the exported type. Value should be RequestValidationInboundPolicy.
  • handler.module <string> - The module containing the policy. Value should be $import(@zuplo/runtime).
  • handler.options <object> - The options for this policy. See Policy Options below.

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

  • logLevel <string> - The log level to use when logging validation errors. Allowed values are error, warn, info, debug. Defaults to "info".
  • validateBody <string> - The action to perform when validation fails. Allowed values are none, log-only, reject-and-log, reject-only. Defaults to "none".
  • validateQueryParameters <string> - The action to perform when validation fails. Allowed values are none, log-only, reject-and-log, reject-only. Defaults to "none".
  • validatePathParameters <string> - The action to perform when validation fails. Allowed values are none, log-only, reject-and-log, reject-only. Defaults to "none".
  • validateHeaders <string> - The action to perform when validation fails. Allowed values are none, log-only, reject-and-log, reject-only. Defaults to "none".
  • includeRequestInLogs <boolean> - Whether to include the request in the logs. Defaults to false.

Using the Policy

Here's an example of how to specify a schema for validation in a request body in OpenAPI.

  "requestBody": {
    "description": "user to add to the system",
    "content": {
      "application/json": {
        "schema": {
          "type": "object",
          "properties": {
            "name": {
              "type": "string"
            },
            "age": {
              "type": "integer"
            }
          },
          "required": [
            "name",
            "age"
          ]
        }
      }
    }
  }
json

Read more about how policies work

Audit Logs PolicyBot Detection Policy