That's how one of my past employers resolved this. Basically base64 encoded every field in the JSON as someone reported a bug where the WAF blocked it. Not only was this done inconsistently and was super tedious but completely defeated the purpose of the WAF. (Except of course to check the checkbox that we had a WAF.)

yeah, i'd expect dang to just jump right on that. just because you feel it is trivial does not mean that it should be done.