Why WAF policy settings "Enforce maximum request body limit" setting is not the same as in WAF policy json property: properties.policySettings.requestBodyEnforcement

Question

Why WAF policy settings "Enforce maximum request body limit" setting is not the same as in WAF policy json property: properties.policySettings.requestBodyEnforcement

Elisa 20

Ravi Teja M 615 Microsoft External Staff

Hello Elisa,

The reason the Azure portal setting "Enforce maximum request body limit" does not directly correspond to the JSON property properties.policySettings.requestBodyEnforcement is that the user interface option bundles together two distinct but related JSON properties:

requestBodyEnforcement: This is a simple boolean (true/false) property that determines whether the Web Application Firewall (WAF) should enforce any request body size limits at all.
maxRequestBodySizeInKb: This integer property specifies the maximum allowable request body size in kilobytes.

When you toggle the single "Enforce maximum request body limit" setting in the Azure portal, it manages both of these properties behind the scenes.

How the portal setting maps to the JSON properties

The Azure portal offers a simplified experience, abstracting the details of the underlying REST API and JSON structure. The "Enforce maximum request body limit" checkbox performs the following logic:


Portal setting	`requestBodyEnforcement` (boolean)	`maxRequestBodySizeInKb` (integer)
Checked (enabled)	`true`	The value specified in the adjacent "Maximum request body size" field.
Unchecked (disabled)	`false`	The value is not applicable and is ignored. In this case, the WAF does not block requests based on body size, and the maximum is determined by the Application Gateway's higher limits (up to 4 GB).

This separation provides granular control via the API (PowerShell, CLI, or Bicep) but a more user-friendly experience in the portal.

Why the JSON properties are separate

Having separate JSON properties for enforcement and the limit offers increased flexibility, especially for advanced use cases.

Granular control: By decoupling the "on/off" switch (requestBodyEnforcement) from the size limit itself (maxRequestBodySizeInKb), administrators can independently control the behavior.
Performance vs. Security: For newer WAF engines (CRS 3.2 or newer), size enforcement can be enabled or disabled independently of request body inspection. This gives you the flexibility to prioritize performance (by disabling enforcement) or security (by keeping it enabled).
Backward compatibility: For older WAF policies (Core Rule Set 3.1 or lower), request body inspection and size enforcement were linked. The separate JSON properties accommodate this by making the size field inapplicable if inspection is turned off.

Regards,

Raviteja M.

1 answer

Your answer

Answer 1

Hi Elisa,

Welcome to Microsoft Q&A forum.

To understand the difference between Enforce maximum request body limit & WAF policy json property is as below:

Portal/UI setting: "Enforce maximum request body limit" is a friendly label shown in the Azure Portal for clarity. It indicates whether the WAF should enforce the configured maximum request body size for inspection.
JSON property: properties.policySettings.requestBodyEnforcement is the actual schema property in the WAF policy ARM template or REST API. This is the authoritative configuration key used by Azure Resource Manager

Both refer to the same logical feature:

When enabled, WAF enforces the maximum request body size limit (e.g., 128 KB for OWASP CRS).
When disabled, WAF does not block requests exceeding the limit; it only inspects up to the limit
Azure Portal uses descriptive labels for usability.
ARM schema uses technical property names for consistency across APIs and automation.

This separation between properties allows for better flexibility in policy management. You can control inspection and enforcement independently, which gives you more options for performance optimization or security configurations based on your specific scenarios.

Hope, you find this comment helpful, if yes, please “up-vote” for the information provided , this can be beneficial to community members.

Kindly let us know if you have any additional questions.

Thanks

Share via

Why WAF policy settings "Enforce maximum request body limit" setting is not the same as in WAF policy json property: properties.policySettings.requestBodyEnforcement

1 answer

Your answer