Documentation Index
Fetch the complete documentation index at: https://docs.esperr.com/llms.txt
Use this file to discover all available pages before exploring further.
What is Body Data?
Body data is the main content sent in POST, PUT, and PATCH requests. It contains the actual information being submitted - form data, JSON payloads, file uploads, or API commands.
Common Body Data Formats
JSON (application/json)
{
"username": "user@example.com",
"password": "secret123",
"remember": true
}
username=user%40example.com&password=secret123&remember=true
------WebKitFormBoundary
Content-Disposition: form-data; name="file"
Content-Type: image/jpeg
[binary data]
------WebKitFormBoundary
XML (application/xml)
<request>
<username>user@example.com</username>
<password>secret123</password>
</request>
Plain Text (text/plain)
Using Body Data in Policies
Basic Examples
Check for specific field:
Field Type: Body Data Reference
Field Reference: email
Operator: contains
Value: @suspicious.com
Action: Challenge
Field Type: Body Data Reference
Field Reference: user.age
Operator: is not present
AND
Field Type: Request Path
Operator: equals
Value: /register
Action: Block
Advanced JSON Navigation
For nested JSON objects, use path notation:
{
"user": {
"profile": {
"email": "test@example.com"
}
}
}
user.profile.email or user->profile->email
Array Access
{
"items": [
{ "id": 1, "name": "First" },
{ "id": 2, "name": "Second" }
]
}
items[0].name - First item’s nameitems[].name - Any item’s name
Security Patterns
SQL Injection Detection
Field Type: Body Data Reference
Field Reference: search
Operator: matches regex
Value: (SELECT|UNION|DROP|INSERT|UPDATE|DELETE).*FROM
Action: Block
XSS Prevention
Field Type: Body Data Reference
Field Reference: comment
Operator: contains any
Values:
- <script
- javascript:
- onerror=
- onclick=
Action: Block
Command Injection
Field Type: Body Data Reference
Field Reference: filename
Operator: contains any
Values:
- ../
- ;
- |
- &&
- $(
Action: Block
Security AlertNever trust body data! Always validate and sanitize on the server side, even with Esper policies in place.
Size and Content Validation
Prevent Large Payloads
Field Type: Body Size
Operator: greater than
Value: 10485760 # 10MB
Action: Block
Enforce Content Types
Field Type: Request Path
Operator: equals
Value: /api/upload
AND
Field Type: Header
Field Reference: Content-Type
Operator: not starts with
Value: multipart/form-data
Action: Block
Best Practices
DO:
- Validate structure - Ensure expected fields exist
- Check data types - Numbers should be numbers
- Limit sizes - Prevent resource exhaustion
- Sanitize inputs - Block dangerous characters
- Log suspicious patterns - For security analysis
- Use specific paths - Target exact fields in JSON
DON’T:
- Parse complex formats in policies - Do that server-side
- Store sensitive data in logs
- Trust client validation - Always verify server-side
- Block common words - Too many false positives
- Ignore encoding - Base64 can hide attacks
Working with Different Content Types
JSON API Protection
# Ensure valid JSON structure
Field Type: Header
Field Reference: Content-Type
Operator: equals
Value: application/json
AND
Field Type: Body Data
Operator: is valid JSON
Action: Continue
ELSE
Action: Block
# Check for required form fields
Field Type: Body Data Reference
Field Reference: email
Operator: matches regex
Value: ^[^@]+@[^@]+\.[^@]+$
AND
Field Type: Body Data Reference
Field Reference: terms_accepted
Operator: equals
Value: true
File Upload Security
# Restrict file types
Field Type: Body Data Reference
Field Reference: file.content_type
Operator: not in
Values:
- image/jpeg
- image/png
- application/pdf
Action: Block
Common Attack Patterns
Password Spraying
# Many attempts, same password
Field Type: Body Data Reference
Field Reference: password
Operator: equals
Value: Password123
Window: 5 minutes
Threshold: 10
Action: Block
Credential Stuffing
# Rapid login attempts
Field Type: Request Path
Operator: equals
Value: /login
AND
Field Type: Body Data Reference
Field Reference: username
Operator: is present
Window: 1 minute
Threshold: 20
Action: Block
API Abuse
# Excessive data requests
Field Type: Body Data Reference
Field Reference: limit
Operator: greater than
Value: 1000
Action: Challenge
Encoding Challenges
Base64 Detection
Field Type: Body Data Reference
Field Reference: data
Operator: matches regex
Value: ^[A-Za-z0-9+/]+=*$
Action: Decode and inspect
URL Encoding
# Detect encoded attacks
Field Type: Body Data
Operator: contains
Value: %3Cscript
Action: Block # URL encoded <script
Troubleshooting
“Can’t access nested fields”
- Check JSON structure
- Verify path notation
- Ensure proper parsing
- Look for array vs object
“Policy not matching body content”
- Confirm Content-Type header
- Check encoding (UTF-8, etc.)
- Verify body size limits
- Test with exact payload
Advanced Patterns
Business Logic Validation
# Prevent price manipulation
Field Type: Body Data Reference
Field Reference: items[].price
Operator: any less than
Value: 0
Action: Block
Data Consistency Checks
# Email fields must match
Field Type: Body Data Reference
Field Reference: email
NOT EQUALS
Field Type: Body Data Reference
Field Reference: confirm_email
Action: Block