Security & Validation

Request Size Limit Policy

Enforces a maximum size in bytes of the incoming request.

Configuration

The configuration shows how to configure the policy in the 'policies.json' document.


config/policies.json
{
  "name": "my-request-size-limit-inbound-policy",
  "policyType": "request-size-limit-inbound",
  "handler": {
    "export": "RequestSizeLimitInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "maxSizeInBytes": 10000
    }
  }
}

Policy Configuration

name <string> - The name of your policy instance. This is used as a reference in your routes.
policyType <string> - The identifier of the policy. This is used by the Zuplo UI. Value should be request-size-limit-inbound.
handler.export <string> - The name of the exported type. Value should be RequestSizeLimitInboundPolicy.
handler.module <string> - The module containing the policy. Value should be $import(@zuplo/runtime).
handler.options <object> - The options for this policy. See Policy Options below.

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

maxSizeInBytes (required) <number> - The maximum size of the request in bytes.
trustContentLengthHeader <boolean> - If true, the policy will reject any request with a content-length header in excess of maxSizeInBytes bytes value, but will not verify the actual size of the request. This is more efficient and offers slightly better memory usage but should only be used if you trust/control the clients calling the gateway to send an accurate content-length. If false, the gateway will actually verify the request size and reject any request with a size in excess of the stated maximum.

Using the Policy

Read more about how policies work

Edit this page

Last modified on May 29, 2026

Require Origin Policy Secret Masking Policy

Configuration

The configuration shows how to configure the policy in the 'policies.json' document.

config/policies.json

{
  "name": "my-request-size-limit-inbound-policy",
  "policyType": "request-size-limit-inbound",
  "handler": {
    "export": "RequestSizeLimitInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "maxSizeInBytes": 10000
    }
  }
}

Policy Configuration

name <string> - The name of your policy instance. This is used as a reference in your routes.

policyType <string> - The identifier of the policy. This is used by the Zuplo UI. Value should be request-size-limit-inbound.

handler.export <string> - The name of the exported type. Value should be RequestSizeLimitInboundPolicy.

handler.module <string> - The module containing the policy. Value should be $import(@zuplo/runtime).

handler.options <object> - The options for this policy. See Policy Options below.

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

maxSizeInBytes (required) <number> - The maximum size of the request in bytes.

trustContentLengthHeader <boolean> - If true, the policy will reject any request with a content-length header in excess of maxSizeInBytes bytes value, but will not verify the actual size of the request. This is more efficient and offers slightly better memory usage but should only be used if you trust/control the clients calling the gateway to send an accurate content-length. If false, the gateway will actually verify the request size and reject any request with a size in excess of the stated maximum.