You can prevent your APIs from code injection attacks by using this assertion. This type can help protect vulnerable parameters in the path (or URI) of the URL, in addition to the URL query string and message body.

Configure the assertion as below:

• Apply protection to
  Specify where to apply for the protection:

1. URL Path: Select this to protect the URL Path.
2. URL Query String: Select this to protect the query parameters in the URL.
3. Body: Select this to protect the body of the message. These will be scanned depending on the Content-Type header:
   • application/x-www-form-urlencoded: Scans Form Post parameters
   • application/json: Scans attribute values and character-data
   • multipart/form-data: Scans each MIME part; depends on Content-Type of MIME part
   • text/xml: Scans attribute values and character-data
   • anything else: Scans the entire message body

• Select code injection protection that you would like to enable
  Select one or more injection threats to protect against. The API will fail upon the first protection violation detected.
  
  Click on Save to complete the configuration.