nhttp_limits (nhttp v1.0.0)
View SourceHeader validation and size limits for nhttp.
Enforces configurable limits on request headers and body to prevent abuse. All limits are optional - if not configured, defaults are used.
Configuration options:
max_header_name_length- Maximum length of a header name (default: 256)max_header_value_length- Maximum length of a header value (default: 8192)max_headers- Maximum number of headers (default: 100)max_header_size- Total header block size in bytes (default: 65536)max_uri_length- Maximum URI/path length (default: 8192)max_body_size- Maximum request body size in bytes (default: 8388608, i.e. 8 MiB)
Summary
Functions
Check accumulated body size against the configured max_body_size.
Returns ok if Size is within the limit, {error, body_too_large}
otherwise. Used by H2/H3 incremental body accumulators where the request
body is delivered across multiple DATA frames.
Return default limit values.
Canonical HTTP status for a limit violation: 413 for the body limit,
414 for the URI limit, 431 for every header limit. Exhaustive on
purpose (no catch-all): a new limit_error() variant must add its
clause here.
Extract the request-limit subset from a connection's nhttp:opts() map.
The result is a t() ready to pass to validate_request/2 and
check_body_size/2. Unknown keys are dropped. Missing keys fall back to
default_limits/0 at lookup time.
Resolve the limits the HTTP/1.1 parser enforces while reading a request
head into the option keys nhttp_h1:parse_request_headers/2 expects.
The nhttp key max_headers maps to the lib key max_headers_count.
Resolved max_body_size from a limits map (default applied if missing).
Validate a request against configured limits.
Returns ok if all limits pass, or {error, Reason} for the first failure.
Types
-type limit_error() ::
body_too_large | header_name_too_long | header_too_large | header_value_too_long |
too_many_headers | uri_too_long.
-type t() :: #{max_header_name_length => pos_integer(), max_header_value_length => pos_integer(), max_header_size => pos_integer(), max_headers => pos_integer(), max_uri_length => pos_integer(), max_body_size => pos_integer()}.
Functions
-spec check_body_size(non_neg_integer(), t()) -> ok | {error, body_too_large}.
Check accumulated body size against the configured max_body_size.
Returns ok if Size is within the limit, {error, body_too_large}
otherwise. Used by H2/H3 incremental body accumulators where the request
body is delivered across multiple DATA frames.
-spec default_limits() -> t().
Return default limit values.
-spec error_to_status(limit_error()) -> nhttp_lib:status().
Canonical HTTP status for a limit violation: 413 for the body limit,
414 for the URI limit, 431 for every header limit. Exhaustive on
purpose (no catch-all): a new limit_error() variant must add its
clause here.
-spec from_opts(nhttp:opts()) -> t().
Extract the request-limit subset from a connection's nhttp:opts() map.
The result is a t() ready to pass to validate_request/2 and
check_body_size/2. Unknown keys are dropped. Missing keys fall back to
default_limits/0 at lookup time.
-spec h1_parse_opts(t()) -> #{max_header_size := pos_integer(), max_headers_count := pos_integer(), max_body_size := pos_integer()}.
Resolve the limits the HTTP/1.1 parser enforces while reading a request
head into the option keys nhttp_h1:parse_request_headers/2 expects.
The nhttp key max_headers maps to the lib key max_headers_count.
-spec max_body_size(t()) -> pos_integer().
Resolved max_body_size from a limits map (default applied if missing).
-spec validate_request(nhttp_lib:request(), t()) -> ok | {error, limit_error()}.
Validate a request against configured limits.
Returns ok if all limits pass, or {error, Reason} for the first failure.