CODEWITHSUNDEEP
node.jsexpress
aglavina
aglavina

Reputation: 395

Node Js Express default limits

Reading node js doc. They seems to be conservative in the default limit values for http body size and parameters quantity:

https://github.com/expressjs/body-parser#parameterlimit

I've found you can extend it and this seems to be a proved solution:

var bodyParser = require('body-parser');

app.use(bodyParser.urlencoded({
  parameterLimit: 100000,
  limit: '50mb',
  extended: true
}));

However, two questions remain:

  1. Why the default values are so conservative?
  2. Why expanding the limit to 50mb is a good idea?

I know the answers depend on the application the solution is applied, but I would appreciate a more general approach oriented answer to understand better the problem.

Upvotes: 1

Views: 9652

Answers (2)

ztech
ztech

Reputation: 560

I'm struggling to think of a legitimate use case where the API would need to accept more than 100 parameters in a single request. Reviewing The Open Web Application Security Project (OWASP) guidelines (CHEATSHEET HERE), the default limit values set by ExpressJS seem aligned and responsible. I wouldn't change them.

If you're going down a road where you think these limits may inhibit you from providing the functionality you need, I would strongly consider rethinking your strategy as this will likely open you to unnecessarily security vulnerabilities. For example, you could make multiple smaller requests etc.

Upvotes: 1

tmurphree
tmurphree

Reputation: 87

The answer seems to be the encoding of the HTTP payload.

The Express.js docs (http://expressjs.com/uk/api.html#req.body) say that bodyParser.urlencoded parses x-www-form-urlencoded data.

MDN (https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/POST) basically says that x-www-form-urlencoded data is key/value pairs and (I’m reading in between the lines here) not suitable for large amounts of data transmission (use multipart/form-data encoding to send large amounts of data):

x-www-form-urlencoded: the values are encoded in key-value tuples separated by '&', with a '=' between the key and the value. Non-alphanumeric characters are percent encoded: this is the reason why this type is not suitable to use with binary data (use multipart/form-data instead)

bodyParser seems to limit the data as a safety measure to help keep us from running in to transmission errors / issues. At least, that's how I read it.

Upvotes: 2

Related Questions