Page MenuHomeSoftware Heritage

varnish: limit maximum size of incoming POST requests for Web API
Open, HighPublic

Description

We now have a public-facing method in the Web API that accept POST data (/known).

We should have a catch-all/last resort limitation in the size of incoming POST request for all API methods to avoid abuses.

That specific endpoint will accept requests of the order of few tens of KiB (50 KiB in the current proposal for T2276). I'm guessing a significantly larger varnish limit, e.g., 1 MiB (?), would be enough to avoid having to fiddle with it too often and still prevent significant abuses.

Event Timeline

zack renamed this task from varnish: limit maximum size of incoming POST requests to varnish: limit maximum size of incoming POST requests for Web API.Tue, Feb 11, 3:08 PM
zack triaged this task as High priority.
zack created this task.