Node Express application Security: Set Request Size Limit for JSON data and file uploading

 Here, we are going to discuss about securing our Node Express application if any unwanted user tries to impact performance of our application by sending a very huge input JSON data or by uploading a very large file. 

Generally, Express allows 100KB JSON data by default. If we try to input more than 100KB JSON data, it will return 413 error code. In case of file uploading by using Multer package, there is not any defult file size limit. So, in can case of file uploading, we should apply some file size limit in Node Js code. Lets discuss about JSON input data and file uploading separately.

JSON input data: As told above, Express allows by default 100KB JSON data which is pretty good in most of the scenarios. If in some scenarios, we need to send JSON data of size more than 100KB, then we have to increase the default JSON data size limit. We can achieve it by using the below two middlewares.

app.use(express.json({limit: '10mb', extended: true}));

app.use(express.urlencoded({limit: '10mb', extended: true}));

Now, this express application will allow us to send JSON data of up to 10mb size.

File upload size limit: Generally, we use Multer package to upload incoming files. Here, we can restrict the security threat by providing the max file size limit in multer. It can be done in the following way.

const multer = require('multer');

const upload = multer({limits: { fileSize: 1024 * 1024 * 150 }}); //150Mb

Here, we are defining the maximum allowed file size limit as 150mb. This size applies for both single file upload and multiple file upload. So, if we are uploading a single file of size say 200mb or two files together with each file having size about 100mb that is 100+100=200mb then, in both the cases, the file size limit is exceeding the defined file size that is 150mb. So, in these cases, it will give error with 500 status code with error message as "File too large".

I have created below two routes for handling single file upload and multiple file upload.

app.post('/singleFileUpload', upload.single("file"), (req, res) => {

  const jsonData = req.body;

  res.status(200).json({

    "status": "success"

  });

});

app.post('/multipleFileUpload', upload.array("file"), (req, res) => {

  const jsonData = req.body;

  res.status(200).json({

    "status": "success"

  });

});

Here, I am giving my code that will help in reproducing the outcome of above discussion.

package.json

{

  "name": "node_test",

  "version": "1.0.0",

  "description": "",

  "main": "index.js",

  "scripts": {

    "test": "echo \"Error: no test specified\" && exit 1",

    "start": "nodemon ./app"

  },

  "author": "",

  "license": "ISC",

  "dependencies": {

    "express": "^4.17.3",

    "multer": "^1.4.4",

    "nodemon": "^2.0.15"

  }

}

app.js

const express = require('express');

const multer = require('multer');

const app = express();

const upload = multer({limits: { fileSize: 1024 * 1024 * 150 }}); //50Mb

//middleware

app.use(express.json({limit: '10mb', extended: true}));

app.use(express.urlencoded({limit: '10mb', extended: true}));

const port = 3000;

app.get('/', (req, res) => {

  res.status(200).json({

    "status": "success"

  });

});

app.post('/bigJson', (req, res) => {

  const jsonData = req.body;

  res.status(200).json({

    "status": "success",

    "jsonData": jsonData

  });

});

app.post('/singleFileUpload', upload.single("file"), (req, res) => {

  const jsonData = req.body;

  res.status(200).json({

    "status": "success"

  });

});

app.post('/multipleFileUpload', upload.array("file"), (req, res) => {

  const jsonData = req.body;

  res.status(200).json({

    "status": "success"

  });

});

app.listen(port, () => {

  console.log("Server has started");

});