Imeplement maximum request size validation

[jjzazuet]

Overview

We need some sort of measure to prevent attacks based on huge HTTP request payloads.

@simonwep , would you suggest any particular configuration class to implement this feature?

We could probably implement this as a Middleware extension.

• More context here: https://www.netscout.com/what-is-ddos/large-payload-post
• Undertow provides a few configuration guidelines for security related settings in an HTTP(S) listener: https://undertow.io/undertow-docs/undertow-docs-1.3.0/index.html#common-listener-options

[simonwep]

Of what I know (or always do) http-frameworks should always behind a reverse-proxy such as nginx / apache as these are much faster and efficient in handling requests. Nginx for example comes with a client_max_body_size.

I don't thing java-express should ever (together with express) be directly exposed, there are way too many ways to attack a server and DDOS is just the most popular one. For example I don't know how or if Javas http server has anything against slow loris attack which we couldn't prevent without implementing the whole http server on our own, the same counts for a whole set of security / caching / response handling mechanism implemented in reverse-proxy servers or these which are specialized in just handling and forwarding requests to an endpoint.

Java-express should only take care of security if it directly affects a part of the framework and not re-invent the wheel of a webserver (but instead serve as way to easily implement APIs in Java).

But that's just me and I have no idea how people work with java in production, what do you think or how would you handle that?