nhttp_limits (nhttp v1.0.0)

View Source

Header validation and size limits for nhttp.

Enforces configurable limits on request headers and body to prevent abuse. All limits are optional - if not configured, defaults are used.

Configuration options:

  • max_header_name_length - Maximum length of a header name (default: 256)
  • max_header_value_length - Maximum length of a header value (default: 8192)
  • max_headers - Maximum number of headers (default: 100)
  • max_header_size - Total header block size in bytes (default: 65536)
  • max_uri_length - Maximum URI/path length (default: 8192)
  • max_body_size - Maximum request body size in bytes (default: 8388608, i.e. 8 MiB)

Summary

Functions

Check accumulated body size against the configured max_body_size. Returns ok if Size is within the limit, {error, body_too_large} otherwise. Used by H2/H3 incremental body accumulators where the request body is delivered across multiple DATA frames.

Return default limit values.

Canonical HTTP status for a limit violation: 413 for the body limit, 414 for the URI limit, 431 for every header limit. Exhaustive on purpose (no catch-all): a new limit_error() variant must add its clause here.

Extract the request-limit subset from a connection's nhttp:opts() map. The result is a t() ready to pass to validate_request/2 and check_body_size/2. Unknown keys are dropped. Missing keys fall back to default_limits/0 at lookup time.

Resolve the limits the HTTP/1.1 parser enforces while reading a request head into the option keys nhttp_h1:parse_request_headers/2 expects. The nhttp key max_headers maps to the lib key max_headers_count.

Resolved max_body_size from a limits map (default applied if missing).

Validate a request against configured limits. Returns ok if all limits pass, or {error, Reason} for the first failure.

Types

limit_error()

-type limit_error() ::
          body_too_large | header_name_too_long | header_too_large | header_value_too_long |
          too_many_headers | uri_too_long.

t()

-type t() ::
          #{max_header_name_length => pos_integer(),
            max_header_value_length => pos_integer(),
            max_header_size => pos_integer(),
            max_headers => pos_integer(),
            max_uri_length => pos_integer(),
            max_body_size => pos_integer()}.

Functions

check_body_size(Size, Limits)

-spec check_body_size(non_neg_integer(), t()) -> ok | {error, body_too_large}.

Check accumulated body size against the configured max_body_size. Returns ok if Size is within the limit, {error, body_too_large} otherwise. Used by H2/H3 incremental body accumulators where the request body is delivered across multiple DATA frames.

default_limits()

-spec default_limits() -> t().

Return default limit values.

error_to_status/1

-spec error_to_status(limit_error()) -> nhttp_lib:status().

Canonical HTTP status for a limit violation: 413 for the body limit, 414 for the URI limit, 431 for every header limit. Exhaustive on purpose (no catch-all): a new limit_error() variant must add its clause here.

from_opts(Opts)

-spec from_opts(nhttp:opts()) -> t().

Extract the request-limit subset from a connection's nhttp:opts() map. The result is a t() ready to pass to validate_request/2 and check_body_size/2. Unknown keys are dropped. Missing keys fall back to default_limits/0 at lookup time.

h1_parse_opts(Limits)

-spec h1_parse_opts(t()) ->
                       #{max_header_size := pos_integer(),
                         max_headers_count := pos_integer(),
                         max_body_size := pos_integer()}.

Resolve the limits the HTTP/1.1 parser enforces while reading a request head into the option keys nhttp_h1:parse_request_headers/2 expects. The nhttp key max_headers maps to the lib key max_headers_count.

max_body_size(Limits)

-spec max_body_size(t()) -> pos_integer().

Resolved max_body_size from a limits map (default applied if missing).

validate_request/2

-spec validate_request(nhttp_lib:request(), t()) -> ok | {error, limit_error()}.

Validate a request against configured limits. Returns ok if all limits pass, or {error, Reason} for the first failure.