Limit request body size to prevent resource exhaustion

Limit request body size to prevent resource exhaustion | BeforeMerge Rules | BeforeMerge

Why this matters

Parsing an arbitrarily large body buffers attacker-controlled data into memory. A few oversized requests can exhaust the process and take down the service. Enforce an explicit size limit at the parser.

// Bad: no limit — accepts any payload size
app.use(express.json());
 
// Good: cap the body size
app.use(express.json({ limit: "100kb" }));

Why This Matters

Related Rules

Catch this automatically on every PR

Why this matters