Summary
POST /api/documents/paste returns a 403 from CloudFront (generic "Request blocked" page), not from the backend. Uploading an interview transcript via paste fails before reaching the API.
Steps to reproduce
- Open the frontend, navigate to a candidate's document upload.
- Paste transcript content larger than ~8KB into the paste field.
- Submit.
Observed behavior
- HTTP 403 returned from CloudFront.
- Response body is CloudFront's generic "Request blocked" page, not a FastAPI error response.
- Request never reaches the ALB or backend logs.
Normal behavior
Uploads under ~8KB succeed. File uploads via the multipart endpoint (not /paste) succeed regardless of size.
Relevant context
/paste endpoint accepts up to 5MB of text (MAX_PASTE_CONTENT_LENGTH = 5_000_000 in app/backend/app/schemas/documents.py:101).- AWS WAF inspects only the first 8KB of a request body by default; the default
oversized_handling is BLOCK.
AWSManagedRulesCommonRuleSet (applied on both CloudFront and ALB WAFs in infra/modules/waf/main.tf) includes CrossSiteScripting_BODY and SizeRestrictions_BODY rules, both enforcing (not count-only).- Transcripts routinely contain patterns (angle brackets, code snippets, technical discussion) that match
CrossSiteScripting_BODY.
- WAF logs live in CloudWatch log group
aws-waf-logs-lauter-cloudfront.
- Affected routes/files:
infra/modules/waf/main.tf (both WAF ACLs), app/backend/app/routers/documents.py:100 (the /paste route).
Area
Infrastructure / deploy, Backend (FastAPI).
Environment
Production.
Frequency and impact
Every paste larger than ~8KB fails. Blocks the transcript-paste upload flow — a core recruiter path. The multipart file-upload endpoint is the only current workaround.
Summary
POST /api/documents/pastereturns a 403 from CloudFront (generic "Request blocked" page), not from the backend. Uploading an interview transcript via paste fails before reaching the API.Steps to reproduce
Observed behavior
Normal behavior
Uploads under ~8KB succeed. File uploads via the multipart endpoint (not
/paste) succeed regardless of size.Relevant context
/pasteendpoint accepts up to 5MB of text (MAX_PASTE_CONTENT_LENGTH = 5_000_000inapp/backend/app/schemas/documents.py:101).oversized_handlingis BLOCK.AWSManagedRulesCommonRuleSet(applied on both CloudFront and ALB WAFs ininfra/modules/waf/main.tf) includesCrossSiteScripting_BODYandSizeRestrictions_BODYrules, both enforcing (not count-only).CrossSiteScripting_BODY.aws-waf-logs-lauter-cloudfront.infra/modules/waf/main.tf(both WAF ACLs),app/backend/app/routers/documents.py:100(the/pasteroute).Area
Infrastructure / deploy, Backend (FastAPI).
Environment
Production.
Frequency and impact
Every paste larger than ~8KB fails. Blocks the transcript-paste upload flow — a core recruiter path. The multipart file-upload endpoint is the only current workaround.