For security, I'd like to set a maximum request length in my node.js application. (There are many security vulnerabilities which take advantage of web servers allowing unlimited request lengths).
Is this possible? Is there one already?
Asked
Active
Viewed 3,400 times
6
-
Possible duplicate of [Node.js HTTP Get URL Length limitation](http://stackoverflow.com/questions/32763165/node-js-http-get-url-length-limitation) – Shadow The GPT Wizard Jul 31 '16 at 05:36
1 Answers
1
I'm guessing you are referring to the data a client can send you through POST. If you are using Express, you can use the limit middleware to achieve this: http://senchalabs.github.com/connect/middleware-limit.html
A short version of what's done there is:
req.on('data', function(chunk){
received += chunk.length;
if (received > bytes) req.destroy();
});
alessioalex
- 62,577
- 16
- 155
- 122
-
1I'm also talking about GET—for example, see http://nikic.github.com/2011/12/28/Supercolliding-a-PHP-array.html for the kinds of issues that can come from accepting data from the client without limits. – Aaron Yodaiken Jan 03 '12 at 03:27
-
It's easier for GET requests, for example you can create a middleware that only allows X variables maximum in a GET request. Example: using a regex you determine how many '&' symbols are in the request url. If the maximum number is exceeded you destroy the connection. – alessioalex Jan 03 '12 at 09:26