OWASP WAF rules reject application/vnd.api+json

I run into an issue where json:api requests are blocked by Web Application Firewall. The implemented rules come from OWASP project and here, application/vnd.api+json is not on the content-type default allow list.

  • Why is json:api not just sticking with plain application/json?
  • Does it make sense to propose adding application/vnd.api+json as default on the OWASP WAF rules project?

Many parties in implement those rules these days and it is painful to always start a discussion why the holy defaults must be overwritten.