Skip to content

Commit babc8d9

Browse files
committed
rewrite docs about request data limits
1 parent 09449ee commit babc8d9

File tree

1 file changed

+20
-17
lines changed

1 file changed

+20
-17
lines changed

docs/request_data.rst

+20-17
Original file line numberDiff line numberDiff line change
@@ -73,23 +73,26 @@ read the stream *or* call :meth:`~Request.get_data`.
7373
Limiting Request Data
7474
---------------------
7575

76-
To avoid being the victim of a DDOS attack you can set the maximum
77-
accepted content length and request field sizes. The :class:`Request`
78-
class has two attributes for that: :attr:`~Request.max_content_length`
79-
and :attr:`~Request.max_form_memory_size`.
80-
81-
The first one can be used to limit the total content length. For example
82-
by setting it to ``1024 * 1024 * 16`` the request won't accept more than
83-
16MB of transmitted data.
84-
85-
Because certain data can't be moved to the hard disk (regular post data)
86-
whereas temporary files can, there is a second limit you can set. The
87-
:attr:`~Request.max_form_memory_size` limits the size of `POST`
88-
transmitted form data. By setting it to ``1024 * 1024 * 2`` you can make
89-
sure that all in memory-stored fields are not more than 2MB in size.
90-
91-
This however does *not* affect in-memory stored files if the
92-
`stream_factory` used returns a in-memory file.
76+
The :class:`Request` class provides a few attributes to control how much data is
77+
processed from the request body. This can help mitigate DoS attacks that craft the
78+
request in such a way that the server uses too many resources to handle it. Each of
79+
these limits will raise a :exc:`~werkzeug.exceptions.RequestEntityTooLarge` if they are
80+
exceeded.
81+
82+
- :attr:`~Request.max_content_length` Stop reading request data after this number
83+
of bytes. It's better to configure this in the WSGI server or HTTP server, rather
84+
than the WSGI application.
85+
- :attr:`~Request.max_form_memory_size` Stop reading request data if any form part is
86+
larger than this number of bytes. While file parts can be moved to disk, regular
87+
form field data is stored in memory only.
88+
- :attr:`~Request.max_form_parts` Stop reading request data if more than this number
89+
of parts are sent in multipart form data. This is useful to stop a very large number
90+
of very small parts, especially file parts. The default is 1000.
91+
92+
Using Werkzeug to set these limits is only one layer of protection. WSGI servers
93+
and HTTPS servers should set their own limits on size and timeouts. The operating system
94+
or container manager should set limits on memory and processing time for server
95+
processes.
9396

9497

9598
How to extend Parsing?

0 commit comments

Comments
 (0)