Skip to content

security: Add request body size limits to FastAPI #46

Closed
#147
Closed
security: Add request body size limits to FastAPI#46
#147
Assignees
dominiccreates
Labels
GrantFox OSSIssue tracked in GrantFox OSSMaybe RewardedIssue may be eligible for a GrantFox rewardOfficial CampaignCampaign: Official Campaignquick-winsecurity
@YaronZaki

Description

@YaronZaki
YaronZaki
opened on Jun 15, 2026

Problem Statement

No request body size limits configured in FastAPI or nginx. Large payloads could cause DoS via memory exhaustion before application-level validation runs.

Evidence

  • quantara/web_app/api/main.py: No maximum_request_body_size configured
  • quantara/frontend/quantara.conf: No client_max_body_size directive in nginx

Impact

Medium — DoS vector. Attacker can send multi-GB JSON payloads exhausting server memory before Pydantic validation runs.

Proposed Solution

Set nginx client_max_body_size 1M (rejects at edge). Additionally configure FastAPI maximum_request_body_size as defense-in-depth.

Acceptance Criteria

  • Request body capped at 1MB for API endpoints
  • 413 Payload Too Large returned for oversized requests
  • Nginx configured with client_max_body_size 1M
  • All existing tests pass

File Map

  • quantara/web_app/api/main.py — configure body size limit
  • quantara/frontend/quantara.conf — add client_max_body_size 1M
  • quantara/frontend/quantara_dev.conf — add client_max_body_size 1M

Testing Strategy

  • Integration: Send request with body >1MB, verify 413 response

Security Considerations

DoS hardening. Nginx-level limit is most effective — rejects before reaching application.

Definition of Done

  • Code implemented and peer-reviewed
  • Tests written and passing
  • PR linked and merged

Labels: security, quick-win
Priority: Medium
Difficulty: Beginner
Estimated Effort: 0.5h

Metadata

Metadata

Assignees

Labels

GrantFox OSSIssue tracked in GrantFox OSSMaybe RewardedIssue may be eligible for a GrantFox rewardOfficial CampaignCampaign: Official Campaignquick-winsecurity

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions