Size constraint rule statement - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Size constraint rule statement

This section explains what a size constraint statement is and how it works.

A size constraint statement compares the number of bytes that Amazon WAF receives for a web request component to a number that you provide, and matches according to your comparison criteria.

Note

This statement uses the size of the component that Amazon WAF receives for inspection. For body, header, and cookie components, this size could be less than the original size that was sent to the protected resource. For more information, see Oversize web request components in Amazon WAF.

The comparison criteria is an operator such as greater than (>) or less than (<). For example, you can match on requests that have a query string with a size that's greater than 100 bytes.

If you inspect the URI path, any / in the path counts as one character. For example, the URI path /logo.jpg is nine characters long.

Note

This statement only inspects the size of the web request component. It doesn't inspect the contents of the component.

Rule statement characteristics

Nestable – You can nest this statement type.

WCUs – 1 WCU, as a base cost. If you use the request component All query parameters, add 10 WCUs. If you use the request component JSON body, double the base cost WCUs. For each Text transformation that you apply, add 10 WCUs.

This statement type operates on a web request component, and requires the following request component settings:

  • Request component – The part of the web request to inspect, for example, a query string or the body. For information about web request components, see Adjusting rule statement settings in Amazon WAF.

    A size constraint statement inspects only the size of the component after any transformations have been applied. It does not inspect the contents of the component.

  • Optional text transformations – Transformations that you want Amazon WAF to perform on the request component before inspecting its size. For example, you could compress white space or decode HTML entities. If you specify more than one transformation, Amazon WAF processes them in the order listed. For information, see Using text transformations in Amazon WAF.

Additionally, this statement requires the following settings:

  • Size match condition – This indicates the numerical comparison operator to use to compare the size that you provide with the request component that you've chosen. Choose the operator from the list.

  • Size – The size setting, in bytes, to use in the comparison.

    Note

    For body, header, and cookie components, use a size less than the max size that Amazon WAF can inspect. A larger number will never result in a match. For more information, see Oversize web request components in Amazon WAF.

Where to find this rule statement

  • Rule builder on the console – For Match type, under Size match condition, choose the condition that you want to use.

  • APISizeConstraintStatement