The XC security policy is an alternative workaround but service policies are not very good for POST request body match even if the option is there as they do not extract the body Form-Data or x-www-form-urlencoded parameters like with F5 AWAF/ASM or they do not support matching on all HTTP headers or query parameters for example as the header or query parameter names need to be explicitly specified and can't be a wildcard.