'Azure Web Application Firewall (WAF) not diferentiating file uploads from normal posts and returning 413

The Azure WAF can be configured to check the maximum size of a request like this:

wad screenshot

Anyway, besides having this configuration, any time we upload a file the WAF considers it as a "not file upload operation" and returns 413 "Request entity too large" if the file exceeds 128 Kb.

We are sending the POST request with what we think are the right headers:

Content-disposition: attachment; filename="testImage.jpg"
Content-Length: 2456088
Content-Type: image/jpeg

But it does not make a difference. Any idea why the WAF does not see this is a file upload and applies the Max file upload check instead of the Max request body size limit?



Solution 1:[1]

After several conversations with Microsoft we found that the WAF considers only file attachments if they are sent using multipart/form-data

Multipart example

If you send it this way the WAF will understand it is a file and thus will apply the limits configured for files instead than for bodies.

There is no other way to send files supported by the WAF for now.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Ignacio Soler Garcia