Skip to content

[Backend] No explicit request body-size limit configured on express.json(); relies on undocumented 100kb default with no 413 handling test #1184

Description

@grantfox-oss

Telegram (ask questions / claim the issue here first): https://t.me/+DOylgFv1jyJlNzM0

Why this matters

backend/src/app.ts:118 calls express.json() with no limit option, so protection depends entirely on body-parser's implicit 100kb default. The limit is never stated or documented, and the audit-log middleware persists the full req.body to Postgres (auditLog.ts:90-94), so request size directly drives DB write size. There is no test asserting oversized payloads are rejected.

Acceptance criteria

  • Set an explicit limit on express.json() (e.g. express.json({ limit: 100kb })) sized to the largest legitimate payload
  • Verify oversized requests return 413 through the central error handler with a structured error code
  • Document the configured request-size limit
  • Add a test asserting a payload over the limit is rejected with 413

Files to touch

  • backend/src/app.ts

Out of scope

  • Per-route size overrides
  • Streaming/multipart upload handling

Metadata

Metadata

Labels

Stellar WaveIssues in the Stellar wave programbackendIssues related to backend developmentenhancementNew feature or requestsecuritySecurity related issues

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions