Request body size limits configured

Accepting unbounded request bodies maps to CWE-770 (unrestricted resource allocation) and CWE-20 (improper input validation), and is flagged under OWASP API 2023 as unrestricted resource consumption. A single POST request carrying a multi-gigabyte JSON body can exhaust serverless function memory and cause a cold-start cascade, effectively a one-request denial of service. On platforms like Vercel, the 4.5MB default limit is generous enough to permit several hundred kilobytes of JSON per field — far more than typical API payloads need.

Set explicit body size limits in route handlers or middleware appropriate to what each endpoint actually needs. For Next.js Pages Router, add per-route config:

export const config = {
  api: { bodyParser: { sizeLimit: '1mb' } },
}

For Next.js App Router, enforce the limit in src/middleware.ts via the Content-Length header, or at the platform level in vercel.json:

{
  "functions": {
    "app/api/**": { "maxDuration": 30 }
  }
}

For Express: app.use(express.json({ limit: '1mb' })). Non-file-upload API endpoints rarely need more than 1MB; file upload endpoints should use streaming to object storage rather than buffering the entire body in memory.

• ID: saas-api-design.request-response.request-size-limits
• Severity: medium
• What to look for: Count all POST/PUT/PATCH routes. Check whether the application enforces a request body size limit for API routes. Look for: Next.js export const config = { api: { bodyParser: { sizeLimit: '...' } } } in Pages Router handlers; Next.js App Router custom bodyParser or platform-level config; Express express.json({ limit: '...' }) or express.urlencoded({ limit: '...' }); Fastify bodyLimit option; Hono body size middleware; Vercel's default 4.5MB body limit (check if overridden). A missing explicit limit means the framework default applies (which may be too large or too small depending on the use case).
• Pass criteria: An explicit request body size limit of no more than 10MB is configured at the framework, middleware, or platform level. The limit is appropriate for the endpoint's use case (API endpoints: 1MB-10MB is typical; non-file-upload endpoints: 1MB or less).
• Fail criteria: No explicit size limit is configured anywhere for API routes (relying solely on implicit defaults), AND the application accepts large bodies or has upload endpoints without any guardrails.
• Skip (N/A) when: Skip when no POST, PUT, or PATCH routes that read the request body exist. Specifically, look for routes that call .json(), .text(), .formData(), or .arrayBuffer() on the request object. POST routes that never parse the request body (e.g., routes that use only session/cookie data or URL parameters) do not need body size limits and should be excluded from this check's evaluation.
• Detail on fail: Example: No bodyParser size limit configured. Note where the limit is missing (e.g., "No bodyParser size limit found in Next.js Pages Router API config; no platform-level limit in vercel.json"). Max 500 chars.
• Remediation: Set explicit body size limits in app/api/ or pages/api/ route handlers appropriate to your use case. For Next.js Pages Router, add to each route that needs a non-default limit: export const config = { api: { bodyParser: { sizeLimit: '1mb' } } }. For Next.js App Router, configure via middleware or handle via streaming. For Express: app.use(express.json({ limit: '1mb' })). For Vercel, the default is 4.5MB per request — document this and add explicit in-code limits for sensitive endpoints. Do not accept unbounded request bodies on endpoints that don't need them; this leaves you open to memory exhaustion attacks.