--- REQUEST BODY SIZE LIMITS ---
Request body size limits reject oversized payloads early before they consume memory or processing time, preventing clients from sending massive bodies that could crash or slow down the server.
How it would work:
- Configure globally in createApp({ server: { maxBodyBytes: 1_048_576 } }) for a 1MB limit
- The Rust layer checks Content-Length against the limit before reading the body — instant rejection without buffering
- For chunked/streamed requests without Content-Length, the Rust layer tracks bytes as they arrive and cuts off once the limit is exceeded
- Returns 413 Payload Too Large with a clear error message
- Can be overridden per-route for endpoints that need larger bodies like file uploads: app.post("/upload", { maxBodyBytes: 50_000_000 }, handler)
- Works for all content types — JSON, form data, file uploads, raw binary
How it would NOT work:
- Does not validate what's inside the body — it only checks size, not structure or content type
- Does not compress or truncate the body to fit — it's a hard reject, the full request is refused
- Does not apply to GET/HEAD/OPTIONS requests — these typically have no body
- Does not limit response sizes — only incoming request bodies from clients
- Does not protect against slowloris attacks — a client sending 1 byte per second stays under the size limit but ties up a connection, which is a different problem
--- REQUEST BODY SIZE LIMITS ---
Request body size limits reject oversized payloads early before they consume memory or processing time, preventing clients from sending massive bodies that could crash or slow down the server.
How it would work:
How it would NOT work: