File Upload API Blocked

Overview

If your application has an API endpoint that accepts file uploads and users or integrations are seeing 403 Forbidden errors when uploading, the WAF is likely blocking the request. File uploads are one of the most common sources of false positives because uploaded content can match WAF security patterns.

Why File Uploads Get Blocked

Upload Size Limit

The most common cause. The WAF enforces a maximum request size on all incoming requests. If the uploaded file exceeds this limit, the request is blocked with a 403 before it reaches your application.

The default limit is relatively low. If your application accepts image, document, or media uploads, you likely need to increase it.

File Content Matches Security Rules

The WAF inspects request bodies for attack patterns. File content — especially text files, CSVs, HTML files, or documents with embedded scripts — can trigger intrusion detection rules. For example:

• An HTML file containing <script> tags triggers XSS detection
• A CSV file containing SQL keywords triggers SQL injection detection
• A text file with path traversal sequences (../) triggers directory traversal detection

Multipart Encoding Issues

Some API clients encode file uploads in ways that the WAF flags as non-standard POST requests. This is more common with custom HTTP clients than with standard form submissions.

How to Fix It

1. Check the Upload Size Limit

Go to Traffic Rules > Upload Size in your WAF dashboard. If the limit is lower than the files your users upload, increase it. See Maximum Request Size for available options.

2. Check WAF Logs for the Block Reason

Go to Block Logs in your WAF dashboard and find the blocked upload request. The block reason tells you what triggered the block:

• Upload size — Increase the limit (Step 1)
• Intrusion detection (XSS, SQL injection, etc.) — Allowlist the upload path (Step 3)
• Non-standard POST — Allowlist the upload path (Step 3)

3. Allowlist the Upload Path

If file content is triggering security rules, allowlist the upload endpoint path. Navigate to Path Rules > Allow and add the path (e.g., /api/uploads or /attachments).

Use the most specific match pattern possible: - Equals /api/uploads if there is one exact upload path - Begins With /api/uploads/ if uploads go to sub-paths

See Allowlisting URL Paths for full instructions.

4. Test

Upload a file that was previously blocked to confirm the fix works.

Need Help?

If you cannot determine why uploads are being blocked:

• Contact us at support@expeditedsecurity.com
• Book a Call at https://app.harmonizely.com/expedited/30-min