Threat Protection assertion - Has anyone extensively used them with good results? if so, was there any performance impact? Please share how
I tried that assertion for testing few times in lab env and did not come across any performance issue, but can you provide more info on what were you trying to do and what kind of performance issue did you get in to.
So I believe most of the injection assertions work based on regular expressions. Depending on the size of the input evaluated and the steps of the regular expression you can see some time spent in evaluation. It would be useful to know how large of a request you are sending and what threat protection assertion you are using for this test. Also Audits can cause delays. There is a tactical assertion which also does code injection protection.
But the more items checked off on the top of the box body/path/query(body for example) and the more assertions used to evaluate regular expression can cause latency. So having some specifics may be of value.