[bitreq] Add default size limits for headers, status line, and body #463
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
While its hard to say what size body a client wants, HTTP headers and status line should be quite limited and its very easy for a dev to forget to set a reasonable limit. Here we limit the total header size to the same value used in Chrome, which seems like a pretty safe limit, and the status line limit to a quarter of that (which is really absurd for a status line).
Because its very easy to (mis-)use the API and forget to set a response size limit, we really should have a default one. Sadly, its also quite hard to pick a reasonable default here. Rather than being conservative, we pick 1 GiB and hope that this is enough to avoid an OOM, even though its still quite huge, and almost certainly is larger than what people will use `bitreq` for.
jamillambert
approved these changes
Jan 16, 2026
Collaborator
jamillambert
left a comment
jamillambert
left a comment
There was a problem hiding this comment.
ACK dfa0ce9
nit: Could be defined as consts e.g. DEFAULT_MAX_HEADER_SIZE to make it easier to understand what the numbers are when scanning over the code.
tcharding
approved these changes
Jan 19, 2026
Member
I elected to merge anyway and just leave the magic numbers in there. |
tcharding
added a commit
to tcharding/corepc
that referenced
this pull request
Jan 19, 2026
In preparation for releasing the changes in rust-bitcoin#463 (add default size limits for headers, status line, and body). Point release because if you squint 463 was a bug fix. Bump the version number, add a changelog entry, and update the lock files.
tcharding
added a commit
that referenced
this pull request
Jan 19, 2026
9b037aa Release tracking PR: bitreq v0.3.1 (Tobin C. Harding) Pull request description: In preparation for releasing the changes in #463 (add default size limits for headers, status line, and body). Point release because if you squint 463 was a bug fix. Bump the version number, add a changelog entry, and update the lock files. ACKs for top commit: TheBlueMatt: ACK 9b037aa 🎉 jamillambert: ACK 9b037aa Tree-SHA512: 089b8dd746558aff1f12b2267c0d91d80711266c859bf7dcdccf0546ee3d3000384f64841e3a9c8a2a6c0cc1733ff090afc043a63fa311d34c2732068669bc35
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I realize we also don't have default size limits for the total response headers or status line, which is quite a large footgun. Instead, here we adopt the default response header limit from chrome and set a status line limit of 1/4 of that. Also adds a 1GiB default body response just to have some limit even if its incredibly high and we still document that folks should really set it.
IMO we should cut this as 0.3.1.