Posted On: Mar 8, 2024

Starting today, AWS WAF supports inspecting up to 64KB of the body of incoming HTTP/S requests, for Amazon API Gateway, Cognito user pools, App Runner and AWS Verified Access regional resources. For the resources where this new maximum applies, the default inspection size has also changed from 8KB to 16KB. This new default will be applied to all new and existing WAF web access control lists, without additional charges.

AWS WAF is a web application firewall that enables you to monitor the HTTP(S) requests that are made to your protected web application resources. The inspection limit on the body defines the portion of each request payload WAF will inspect for application threats. Customers can continue to choose to allow, block, or count requests that exceed the limit they define. 

AWS WAF previously had a maximum request body inspection of 8KB, except for CloudFront which already supports increased limits of 64KB. Customers can now use the higher 64KB body limits with Amazon API Gateway, Cognito user pools, App Runner and AWS Verified Access protected resources, in all AWS Regions where AWS WAF is available. Support for increased body limits for Application Load Balancers and App Sync is currently not available. You will be charged extra for each additional 16KB analyzed beyond the default body inspection limit. Other standard service charges for AWS WAF still apply. For more information about pricing, visit the AWS WAF Pricing page. For more information about the service, visit the AWS WAF page.