Field Policies
An extra layer of security for ensuring no unwanted values are passed through a request.
Field Policies allow for blocking or specifically allowing certain fields with set values from being used in the requests body or headers.
Configure them by using access.fieldPolicies like so:
settings:
access:
fieldPolicies:
"@number":
- value: "+123400002"
action: block
- value: "+123400003"
action: allow
Set the wanted action on encounter, available options are block and allow.
important
String fields always try to use
- Regex matching
- On compile error exact match is used as fallback
warning
Remember that some symbols have special meanings in regex, a good rule of thumb is:
- If it is a special character, it probably needs to be escaped (
/) if you are not looking to use regex - Otherwise test your pattern on a regex testing site
note
Supported placeholder types:
. Variables | @ Body | # Headers |
|---|---|---|
| ❌ | ✅ | ✅ |
Behavior
| Allow | Block | Result |
|---|---|---|
number=+123400003 | — | number may only be +123400003 |
| — | number=+123400002 | number may not be +123400002 |
message=hello | number=+123400002 | number may not be +123400002message may only be hello |
number=+123400003 | number=+12340000[2-9] | number may not be +123400002 through 9 except 123400003 |
Rules
- Field-scoped (policies for
adon't affect policies forb)
- Default: allow all
- Allow rules exist: default block
- Only block rules exist: default allow
- Explicit allow overrides block