Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat(sakurajima): add request size limits to prevent DoS attacks#838

Merged
Xe merged 1 commit intomasterfrom
me/xe-29-fixsakurajima-add-request-size-limits-to-prevent-dos
Feb 10, 2026
Merged

feat(sakurajima): add request size limits to prevent DoS attacks#838
Xe merged 1 commit intomasterfrom
me/xe-29-fixsakurajima-add-request-size-limits-to-prevent-dos

Conversation

@Xe
Copy link
Owner

@Xe Xe commented Feb 5, 2026

Summary

  • Add configurable request size limits per domain to prevent DoS attacks through large request bodies, header flooding, and excessive header counts
  • Add limits block to domain configuration with max_request_body, max_header_size, and max_header_count options
  • Add middleware to enforce limits and return appropriate HTTP status codes (413, 431) when exceeded
  • Add Prometheus metrics for tracking rejected requests by reason
  • Add comprehensive tests for limits parsing and validation

Configuration

domain "example.com" {
  limits {
    max_request_body = "10MB"    # Maximum request body size (default: 10MB)
    max_header_size  = "1MB"     # Maximum size of headers (default: 1MB)
    max_header_count = 100       # Maximum number of headers (default: 100)
  }
}

Test plan

  • All existing tests pass
  • New tests added for limits parsing and validation
  • Configuration validation works correctly
  • Metrics are exposed for rejected requests

Fixes XE-29

@linear
Copy link

linear bot commented Feb 5, 2026

XE-29 fix(sakurajima): add request size limits to prevent DoS

@Xe
feat(sakurajima): add request size limits to prevent DoS attacks
bc71e54 
Add configurable request size limits per domain to prevent DoS attacks
through large request bodies, header flooding, and excessive header counts.

- Add Limits struct to domain configuration with:
  - max_request_body: Maximum request body size (default: 10MB)
  - max_header_size: Maximum size of headers (default: 1MB)
  - max_header_count: Maximum number of headers (default: 100)

- Add WithLimits middleware to enforce limits and return appropriate
  HTTP status codes (413, 431) when exceeded

- Add Prometheus metrics for tracking rejected requests by reason

- Add comprehensive tests for limits parsing and validation

- Update example configuration with limits block

Fixes XE-29

Assisted-by: GLM 4.6 via Claude Code
Signed-off-by: Xe Iaso <[email protected]>
@Xe Xe force-pushed the me/xe-29-fixsakurajima-add-request-size-limits-to-prevent-dos branch from 804741a to bc71e54 Compare February 10, 2026 22:27
@github-actions
Copy link
Contributor

github-actions bot commented Feb 10, 2026

The latest Buf updates on your PR. Results from workflow Go / build (pull_request).

BuildFormatLintBreakingUpdated (UTC)
✅ passed✅ passed✅ passed✅ passedFeb 10, 2026, 10:27 PM

@Xe Xe merged commit f207855 into master Feb 10, 2026
7 checks passed
Xe pushed a commit that referenced this pull request Feb 16, 2026
@semantic-release-bot
chore(release): 1.30.0 [skip ci]
8c2f50d 
# [1.30.0](v1.29.0...v1.30.0) (2026-02-16)

### Bug Fixes

* **falin:** resolve npm ci dependency conflict ([#835](#835)) ([683bff8](683bff8))
* **mi:** use blog post summary in Bluesky embed description ([#848](#848)) ([7491810](7491810))
* **nguh:** return error for unsupported tokens ([d1a50e7](d1a50e7))
* **skills/xe-writing-style:** update details about successive paragraph starting letter rule ([5808b2b](5808b2b))
* **skills/xe-writing-style:** wumbofy this with Opus ([cea6609](cea6609))
* **useragent:** use filepath.Base for os.Args[0] in GenUserAgent ([#830](#830)) ([3ef21d9](3ef21d9))
* **web:** replace deprecated io/ioutil with io ([#829](#829)) ([fee5e4f](fee5e4f))

### Features

* **cmd/x:** add ai-add-provider and ai-list-models subcommands ([#850](#850)) ([bba7f41](bba7f41))
* **python:** accept io/fs.FS as root filesystem parameter ([#813](#813)) ([87b97e8](87b97e8))
* **reviewbot:** add Python interpreter with repo filesystem ([#814](#814)) ([b40ff1c](b40ff1c))
* **sakurajima:** add HTTP request timeouts to prevent hanging connections ([#837](#837)) ([d50a792](d50a792))
* **sakurajima:** add request size limits to prevent DoS attacks ([#838](#838)) ([f207855](f207855))
* **sakurajima:** add request size limits to prevent DoS attacks ([#839](#839)) ([80dd84a](80dd84a))
* **sakurajima:** production readiness fixes and enhancements ([#834](#834)) ([4368e6f](4368e6f))
* **sapientwindex:** add state to prevent double-posts ([#825](#825)) ([6ba9223](6ba9223))
* **skills:** add experimental Xe writing style skill ([baed3bd](baed3bd))
* **skills:** add Go table-driven tests skill ([#817](#817)) ([a2e35ea](a2e35ea))
* **store:** add filesystem backends (DirectFile, JSONMutexDB, CAS) ([#824](#824)) ([4f694cf](4f694cf))
* **totpgen:** add TOTP code generator command ([#833](#833)) ([d0a556d](d0a556d))

### BREAKING CHANGES

* **python:** llm/codeinterpreter/python.Run() now takes fs.FS as first parameter

Assisted-by: GLM 4.6 via Claude Code
Reviewbot-request: yes

Signed-off-by: Xe Iaso <[email protected]>

Signed-off-by: Mimi Yasomi <[email protected]>
@Xe
Copy link
Owner Author

Xe commented Feb 16, 2026

🎉 This PR is included in version 1.30.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@Xe Xe added the released label Feb 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Xe