WAF Profile contains a mapping from HTTP Content-Type value to the WAF request body processor. Request body processor is a WAF component responssible for parsing a particular format of a HTTP request, like application/x-www-form-urlencoded, JSON or XML. This section discusses more information on WAF request body parsers for various content types and how WAF uses them.

Though WAF ships with default settings for popular content types, on some occasions there can be a need to configure a specific content type used by a particular application. For example, when you configure application/xml Content-Type to use request body processor XML, it indicates that the XML request body processor will be used when WAF processes an HTTP request with application/xmlContent-Type header. The XML request body processor parses the XML contents of the request and allows for use of XML variables in Signature rules.

The following is a list of available request body parsers.

Request body parser


URL Encoded

WAF request body parser for URL encoded data (application/x-www-form-urlencoded Content-Type).


WAF request body parser for multipart form data (Content-Type multipart/form-data).


WAF request body parser for JSON data.


WAF request body parser for XML data.

As String

WAF request body parser that does not attempt to interpret the body of incoming requests in any way and does not set ARGS WAF variables. REQUEST_BODY variable is set to the value of request body data.

HTTP request is treated as a text and WAF attempts to scan for potential attack vectors in request data. However, it is advised to use more specific request body parser if possible.

Do Not Parse

WAF request body parser that does not attempt to parse incoming requests and does not set any WAF variables, effectively turning off WAF protection for a given content type. Use ctl:forceRequestBodyVariable in custom Signature rule to set REQUEST_BODY variable if it is needed.

When no request body processor is configured for a given Content-Type value, WAF uses As String value.

When writing custom PRE or POST CRS (Core Rule Set) rules, you can use the ctl:requestBodyProcessor action to set the request body processor when the conditions specified in the rule are met. Setting the request body processor using ctl:requestBodyProcessor action takes precedence over the WAF Profile setting.