Request Size Limiting
Overview​
The Request Size Limiting policy is used to restrict the maximum payload size (body content) allowed in an incoming API request. This helps protect APIs from excessive data consumption and potential denial-of-service (DoS) risks due to large payloads.
When this policy is applied, all incoming requests will be measured, and any request exceeding the allowed size will be terminated with an error response.
Configuration Details​
| Field | Description |
|---|---|
| PayloadSize (Required) | The maximum body size allowed for the request in kilobytes (KB). The value must be greater than or equal to 1KB. |
Cannot be changed: When enabled, this policy cannot be toggled on/off after being applied.
Cannot change the setting value: When enabled, the PayloadSize cannot be modified once saved.
Even minimal payloads for communication purposes incur basic transmission overhead, so the minimum value allowed is 1KB.
The request body is evaluated based on content size per request origin and method. If this policy is enabled, processing time may vary depending on payload volume.
Behavior and Usage Notes​
- If a client sends a request body larger than the defined PayloadSize, the API gateway will return an error (usually HTTP 413 - Payload Too Large).
- Use this policy in endpoints expecting structured input like JSON, XML, or file uploads, where you want to guard against unexpectedly large bodies.
- The limit applies per API request and should be chosen based on expected average request size + buffer margin.