Skip to main content

Configuring Request Size Limits

To set and enforce limits on incoming request payloads in this project, you can use global configuration keys or override limits on a per-request basis using the Request object.

Globally Configuring Request Limits

Set the following keys in your application configuration to apply limits across all routes. These limits are enforced by the Request class in src/flask/wrappers.py when it accesses the application context.

from flask import Flask

app = Flask(__name__)

# Limit the total request body size to 16MB
app.config["MAX_CONTENT_LENGTH"] = 16 * 1024 * 1024

# Limit individual non-file form fields to 500KB (Default: 500,000)
app.config["MAX_FORM_MEMORY_SIZE"] = 500_000

# Limit the total number of fields in a multipart body (Default: 1,000)
app.config["MAX_FORM_PARTS"] = 1_000

Overriding Limits for Specific Routes

You can override global limits for specific views by setting properties directly on the request object. This is useful for endpoints that require larger file uploads while maintaining strict limits for the rest of the application.

from flask import Flask, request

app = Flask(__name__)
app.config["MAX_CONTENT_LENGTH"] = 1024 * 1024  # 1MB global limit

@app.post("/upload")
def upload_large_file():
    # Increase the limit to 100MB for this specific request
    request.max_content_length = 100 * 1024 * 1024
    
    # The limit is enforced when form or file data is accessed
    if "file" in request.files:
        return "File received"
    return "No file", 400

The Request class (found in src/flask/wrappers.py) provides setters for these properties that take precedence over the application configuration:

  • request.max_content_length
  • request.max_form_memory_size
  • request.max_form_parts

Handling Limit Violations

When a request exceeds any of the configured limits, Flask raises a 413 RequestEntityTooLarge error. You can catch this using an error handler to provide a custom response.

from flask import Flask, render_template

app = Flask(__name__)

@app.errorhandler(413)
def request_too_large(e):
    return " The uploaded file or form data is too large.", 413

Troubleshooting and Behavior

Enforcement Timing

Limits are not necessarily enforced the moment the request starts. As seen in src/flask/wrappers.py, the Request object enforces these limits when it attempts to load form data (e.g., calling request.form or request.files).

Infinite Stream Protection

If MAX_CONTENT_LENGTH is set to None (the default) and the incoming request lacks a Content-Length header, Flask may refuse to read the data to prevent potential infinite streams, unless the WSGI server indicates the stream is terminated.

Multipart Constraints

The MAX_FORM_MEMORY_SIZE and MAX_FORM_PARTS constraints specifically target multipart/form-data bodies.

  • MAX_FORM_MEMORY_SIZE limits the size of non-file fields.
  • MAX_FORM_PARTS limits the total count of fields to prevent resource exhaustion attacks.

These properties are implemented in src/flask/wrappers.py as follows:

@property
def max_form_parts(self) -> int | None:
    if self._max_form_parts is not None:
        return self._max_form_parts

    if not current_app:
        return super().max_form_parts

    return current_app.config["MAX_FORM_PARTS"]