Request body size limits enforced

Why it matters

Unbounded request bodies are a denial-of-service vector that requires no authentication and minimal sophistication. OWASP API Security Top 10 2023 API4 (Unrestricted Resource Consumption) and CWE-770 (Allocation of Resources Without Limits) both flag missing body size limits as a resource exhaustion risk. Sending a 1 GB JSON payload to an endpoint that reads the full body before rejecting it consumes memory, CPU, and I/O on every request — a single attacker can saturate a server. Node.js HTTP servers buffer the request body before passing it to handlers; without a size limit, that buffer is attacker-controlled. Cloud functions with per-invocation memory limits are particularly vulnerable.

Remediation

Set body size limits in your HTTP framework's parser configuration. In Next.js App Router, override per-route via route segment config; in Express, pass limit to express.json().

// Next.js App Router — src/app/api/upload/route.ts
export const config = {
  api: { bodyParser: { sizeLimit: '10mb' } }  // override for large-upload routes
}

// Default limit for all other routes — next.config.js
module.exports = {
  experimental: {
    serverActions: { bodySizeLimit: '1mb' }  // sensible default
  }
}

// Express
app.use(express.json({ limit: '1mb' }))
app.use(express.urlencoded({ extended: true, limit: '1mb' }))

Set the default at 1 MB and raise it only for specific routes that legitimately handle larger payloads (file uploads, bulk imports).

Detection

ID: api-security.input-validation.body-size-limit
Severity: medium
What to look for: Enumerate every relevant item. Check JSON or body parser middleware configuration. Verify that a maximum request body size is enforced to prevent DoS attacks from oversized payloads.
Pass criteria: At least 1 of the following conditions is met. A request body size limit is configured (typically 1-10 MB depending on API use case). Requests exceeding the limit are rejected with a 413 Payload Too Large response.
Fail criteria: No body size limit is enforced, or the limit is unreasonably high (>100 MB).
Skip (N/A) when: The API accepts file uploads and legitimate uploads frequently exceed typical limits.
Detail on fail: "No request body size limit configured — large payloads could cause DoS"

Remediation: Configure body size limits in middleware:

app.use(express.json({ limit: '10mb' }))
app.use(express.urlencoded({ limit: '10mb' }))

// Next.js API routes
export const config = {
  api: { bodyParser: { sizeLimit: '10mb' } }
}

Why it matters

Remediation

Set body size limits in your HTTP framework's parser configuration. In Next.js App Router, override per-route via route segment config; in Express, pass limit to express.json().

// Next.js App Router — src/app/api/upload/route.ts
export const config = {
  api: { bodyParser: { sizeLimit: '10mb' } }  // override for large-upload routes
}

// Default limit for all other routes — next.config.js
module.exports = {
  experimental: {
    serverActions: { bodySizeLimit: '1mb' }  // sensible default
  }
}

// Express
app.use(express.json({ limit: '1mb' }))
app.use(express.urlencoded({ extended: true, limit: '1mb' }))

Set the default at 1 MB and raise it only for specific routes that legitimately handle larger payloads (file uploads, bulk imports).

Detection

ID: api-security.input-validation.body-size-limit
Severity: medium
What to look for: Enumerate every relevant item. Check JSON or body parser middleware configuration. Verify that a maximum request body size is enforced to prevent DoS attacks from oversized payloads.
Pass criteria: At least 1 of the following conditions is met. A request body size limit is configured (typically 1-10 MB depending on API use case). Requests exceeding the limit are rejected with a 413 Payload Too Large response.
Fail criteria: No body size limit is enforced, or the limit is unreasonably high (>100 MB).
Skip (N/A) when: The API accepts file uploads and legitimate uploads frequently exceed typical limits.
Detail on fail: "No request body size limit configured — large payloads could cause DoS"

Remediation: Configure body size limits in middleware:

app.use(express.json({ limit: '10mb' }))
app.use(express.urlencoded({ limit: '10mb' }))

// Next.js API routes
export const config = {
  api: { bodyParser: { sizeLimit: '10mb' } }
}

Request body size limits enforced

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Request body size limits enforced

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History