Share via

Azure Front Door WAF blocks all multipart/form-data requests (error 200002 / 200003)

YSK 0 Reputation points
2025-08-05T13:06:19.4+00:00

We are using Azure Front Door with WAF enabled to route traffic to our backend Java Spring API.

Our endpoint accepts file uploads using multipart/form-data (typically .zip files), and this works perfectly without Front Door, but when routed through Azure Front Door, all multipart requests are blocked — even small files (as low as 15 KB or less).

We’re getting the following WAF rule violations:

  • Microsoft_DefaultRuleSet-2.1-General-200002

Microsoft_DefaultRuleSet-2.1-General-200003

We’ve confirmed:

  • The Content-Type header is correct: multipart/form-data; boundary=...
  • The Content-Length is reasonable and accurate.
  • We're testing via Postman — which correctly calculates boundaries and content length.
  • The files contain standard content like .jpg, .png, .xlsx, or .zip.
Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator
    2025-08-05T21:32:54.58+00:00

    Hello YSK

    We understand that you're running into issues with Azure Front Door's Web Application Firewall (WAF) blocking your multipart/form-data requests to your backend API.

    • Rule 200002: Triggers when the WAF fails to parse the request body correctly.
    • Rule 200003: Triggers when the multipart content fails strict validation, often due to boundary or encoding issues

    1.We Recommend Creating a Custom WAF Policy and Clone the default rule set and disable only rules 200002 and 200003 for the specific endpoint handling file uploads.

    This avoids disabling the entire rule set and keeps other protections intact.

    1. Use WAF in Detection Mode, temporarily switch WAF to Detection mode to monitor and confirm false positives without blocking traffic, once confirmed, apply custom exclusions.

    3.Consider adding your multipart requests to an exclusion list in the WAF configuration. This may help prevent the WAF from blocking these requests.

    4.Ensure that the files you are trying to upload do not exceed any configured limits in the WAF settings. Azure WAF has configurable limits that can be adjusted based on your application requirements.

    Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.