Content Filter Policy

General Information

Policy Type

policy-content-filter

UI Documentation

📖 For detailed information: [UI Documentation Link - Link will be added here]

Description

Content Filter policy filters request/response content based on regex patterns. It can block or delete content matching specified patterns in headers, body, or parameters. This policy is useful for preventing malicious content, enforcing content policies, or removing unwanted data.

Endpoints

List Policies

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Add Policy

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Update Policy

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Delete Policy

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

List Policies

Endpoint

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Request

Headers

Header Value
Authorization Bearer {token}

Path Parameters

Parameter Type Required Description
projectName string Yes Project name
apiProxyName string Yes API Proxy name

Response

Success Response (200 OK)

{
  "success": true,
  "resultList": [
    {
      "apiProxy": {
        "name": "MyAPI",
        "requestPolicyList": [
          {
            "type": "policy-content-filter",
            "name": "content-filter-policy",
            "description": "Filter malicious content",
            "active": true,
            "policyContentFilterDefList": [
              {
                "id": 1,
                "name": "SQL Injection Filter",
                "ruleValue": "(?i)(union|select|insert|delete|drop|exec|script)",
                "headerActive": true,
                "bodyActive": true,
                "paramActive": true,
                "action": "BLOCK",
                "contentType": "ALL_BODY"
              }
            ]
          }
        ],
        "responsePolicyList": [],
        "errorPolicyList": []
      }
    }
  ],
  "resultCount": 1
}

cURL Example

curl -X GET \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/" \
  -H "Authorization: Bearer YOUR_TOKEN"

Add Policy

Endpoint

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header Value
Authorization Bearer {token}
Content-Type application/json

Path Parameters

Parameter Type Required Description
projectName string Yes Project name
apiProxyName string Yes API Proxy name
policyName string Yes Policy name

Request Body

Full JSON Body Example - Block SQL Injection
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-content-filter",
    "description": "Block SQL injection attempts",
    "active": true,
    "policyContentFilterDefList": [
      {
        "name": "SQL Injection Filter",
        "ruleValue": "(?i)(union|select|insert|delete|drop|exec|script)",
        "headerActive": true,
        "bodyActive": true,
        "paramActive": true,
        "action": "BLOCK",
        "contentType": "ALL_BODY",
        "content": null
      }
    ]
  }
}
Full JSON Body Example - Delete Sensitive Data
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "RESPONSE",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-content-filter",
    "description": "Remove sensitive data from response",
    "active": true,
    "policyContentFilterDefList": [
      {
        "name": "Credit Card Filter",
        "ruleValue": "\\b\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b",
        "headerActive": false,
        "bodyActive": true,
        "paramActive": false,
        "action": "DELETE",
        "contentType": "JSON",
        "content": null
      }
    ]
  }
}
Request Body Fields
operationMetadata
Field Type Required Default Description
targetScope string Yes - Policy scope: ALL or ENDPOINT
targetEndpoint string No* - Endpoint path (required if targetScope=ENDPOINT)
targetEndpointHTTPMethod string No* - HTTP method (required if targetScope=ENDPOINT)
targetPipeline string Yes - Pipeline: REQUEST, RESPONSE, or ERROR
deploy boolean No true Whether to deploy after adding policy
deployTargetEnvironmentNameList array No [] List of environment names to deploy to
order integer No null Policy execution order (starts from 1)

Enum: targetScope

  • ALL - Policy applies to all endpoints
  • ENDPOINT - Policy applies only to specified endpoint

Enum: targetPipeline

  • REQUEST - Executes in request pipeline (filters request content)
  • RESPONSE - Executes in response pipeline (filters response content)
  • ERROR - Executes in error pipeline

Enum: targetEndpointHTTPMethod

  • GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD
policy
Field Type Required Default Description
type string Yes - Policy type: policy-content-filter
description string No - Policy description
active boolean No true Whether policy is active
policyContentFilterDefList array Yes - List of filter definitions (at least one required)

Note: policyContentFilterDefList must contain at least one filter definition.

policyContentFilterDefList

Each filter definition is an object with the following fields:

Field Type Required Default Description
id integer No - Filter definition ID (auto-generated)
name string Yes - Filter definition name
ruleValue string Yes - Regex pattern to match
headerActive boolean No false Apply filter to headers
bodyActive boolean No false Apply filter to body
paramActive boolean No false Apply filter to parameters
action string No BLOCK Action: BLOCK or DELETE
contentType string No XML Content type: XML, JSON, or ALL_BODY
content string No null Additional content configuration

EnumContentFilterAction

  • BLOCK - Block the request/response if pattern matches
  • DELETE - Delete matching content from request/response

EnumMessageContentType

  • XML - Filter XML content
  • JSON - Filter JSON content
  • ALL_BODY - Filter all body content types

Regex Pattern

  • ruleValue must be a valid Java regex pattern
  • Use (?i) prefix for case-insensitive matching
  • Use \\b for word boundaries
  • Use \\d for digits, \\s for whitespace
  • Use [] for character classes, () for groups

Note

  • At least one of headerActive, bodyActive, or paramActive must be true.
  • name and ruleValue are required.
  • action defaults to BLOCK if not specified.

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

cURL Example

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/content-filter-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "operationMetadata": {
      "targetScope": "ALL",
      "targetPipeline": "REQUEST",
      "deploy": true,
      "deployTargetEnvironmentNameList": ["production"],
      "order": 1
    },
    "policy": {
      "type": "policy-content-filter",
      "description": "Block SQL injection",
      "active": true,
      "policyContentFilterDefList": [
        {
          "name": "SQL Injection Filter",
          "ruleValue": "(?i)(union|select|insert|delete|drop|exec)",
          "headerActive": true,
          "bodyActive": true,
          "paramActive": true,
          "action": "BLOCK",
          "contentType": "ALL_BODY"
        }
      ]
    }
  }'

Update Policy

Endpoint

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header Value
Authorization Bearer {token}
Content-Type application/json

Path Parameters

Parameter Type Required Description
projectName string Yes Project name
apiProxyName string Yes API Proxy name
policyName string Yes Policy name

Request Body

Full JSON Body Example
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["tester"],
    "order": 1
  },
  "policy": {
    "type": "policy-content-filter",
    "description": "Updated: Enhanced security filters for SQL injection and XSS",
    "active": true,
    "policyContentFilterDefList": [
      {
        "name": "SQL Injection Filter",
        "ruleValue": "(?i)(union|select|insert|delete|drop|exec|script|alter|create|truncate)",
        "headerActive": true,
        "bodyActive": true,
        "paramActive": true,
        "action": "BLOCK",
        "contentType": "ALL_BODY",
        "content": null
      },
      {
        "name": "XSS Filter",
        "ruleValue": "(?i)(<script|javascript:|onerror|onload|eval\\()",
        "headerActive": true,
        "bodyActive": true,
        "paramActive": true,
        "action": "BLOCK",
        "contentType": "ALL_BODY",
        "content": null
      }
    ]
  }
}

Note: Request body structure is the same as Add Policy. All fields should be provided for update.

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

Delete Policy

Endpoint

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header Value
Authorization Bearer {token}
Content-Type application/json

Path Parameters

Parameter Type Required Description
projectName string Yes Project name
apiProxyName string Yes API Proxy name
policyName string Yes Policy name

Request Body

Full JSON Body Example
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": false
  }
}

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": []
  }
}

Notes and Warnings

  • Action Type:
    • BLOCK - Rejects the request/response if pattern matches
    • DELETE - Removes matching content from request/response
  • Content Type:
    • XML - Filter XML content only
    • JSON - Filter JSON content only
    • ALL_BODY - Filter all body content types
  • Active Flags: At least one of headerActive, bodyActive, or paramActive must be true
  • Regex Pattern:
    • Must be valid Java regex pattern
    • Use (?i) for case-insensitive matching
    • Use \\b for word boundaries
    • Use \\d for digits, \\s for whitespace
  • Performance: Content filtering adds processing overhead. Use efficient regex patterns.
  • Pipeline:
    • REQUEST pipeline filters request content before forwarding
    • RESPONSE pipeline filters response content before sending to client
  • Block Action: When action: BLOCK, the entire request/response is rejected
  • Delete Action: When action: DELETE, only matching content is removed
  • Multiple Filters: Multiple filter definitions are evaluated in order
  • Error Handling: Invalid regex patterns may cause policy execution to fail
  • Deployment: Policy changes require deployment to take effect. Set deploy: true or deploy manually.