DEV Community

Liudas
Liudas

Posted on

Your API Returns 400 for Huge Payloads? Congratulations. You Just Built a Polite DoS Gateway

#api #backend #performance #security

There’s a special kind of bug that looks completely harmless. You send a massive request body. The API calmly replies:

400 Bad Request.

Nothing crashes. No alarms. Everyone shrugs.

And that’s exactly the problem.

When an oversized payload hits your API, the only correct response is 413 Payload Too Large. HTTP already solved this years ago. If you return 400, you’re basically saying: “Something is wrong with your data,” instead of: “This request is too big and I refuse to process it.”

But here’s the uncomfortable part.

By the time you return 400, the server may have already:
• Allocated memory
• Parsed JSON
• Spent CPU cycles
• Tied up worker threads

Multiply that by concurrent requests and suddenly you’re not debugging a validation issue. You’re watching your service politely walk into a denial-of-service scenario.

This is why I added a Large Payload Test into Rentgen.

It takes a valid request and inflates only one thing: the body size. No broken JSON. No invalid headers. Just more data than your API should reasonably accept. The expected result is simple: 413. Immediately. At the boundary.

Anything else means your server is doing work it should never have started.

And this isn’t theoretical. The exact issue was detected in the ChatGPT API. Oversized payloads were being processed incorrectly. It was reported. It was fixed within a day. That response speed tells you everything about how serious this class of bug actually is.

The reason it survives in most systems is beautifully human:
• “Clients won’t send that much data.”
• “We validate input anyway.”
• “This endpoint isn’t public.”

Attackers love assumptions like that.

The fix is boring — which is precisely why it works:
Define strict payload limits. Enforce them at the edge. Return 413 consistently. Document it.

No drama. No heroics. Just discipline.

APIs don’t fall over only because of exotic exploits. Sometimes they fall over because they were too polite to say: “This payload is too large.”

If your API returns 413 consistently, you’re not being strict. You’re being responsible.

Full story and technical breakdown here: https://rentgen.io/api-stories/large-payload-handling.html

Top comments (0)