http.limits

limits sets limits on HTTP requests that are accepted. The request header and body sizes can be limited.

The request header size can be capped at some number of bytes. Due to the way the Go libraries work, one limit applies to all sites on the same listener (if there are multiple configured, the minimum limit is selected).

Request body sizes can also be limited. When the number of bytes read from a request body exceeds the limit, reading will terminate and an error will be sent to the client. (Technically, it depends on each middleware that reads a request body to handle the error properly, but standard Caddy directives should respond with HTTP 413.) By default, there is no size limit.

The size values must be positive integers and are interpreted as bytes unless a unit is given. Valid examples: 3500 (3,500 bytes), 500kb (500 kilobytes), 10mb (10 megabytes), 1gb (1 gigabyte).

Syntax

limits *size*

  • size is the maximum size for both headers and bodies (individually) for the whole site.

For more control, you can open a block:

limits { header *size* body [*path*] *size* }

  • header restricts the size of the request header.
  • body restricts the size of a request body, optionally only for a base path.

Examples

Limit all request headers and bodies to 7.5 kilobytes:

limits 7500

Limit only request bodies within /upload to 50 megabytes:

limits { body /upload 50mb }

Various limits:

limits { header 100KB body /upload 100MB body /profile 25KB body /api 10KB }

Need help with this feature?

Join us in the Caddy forum, where the open source community gathers to share their knowledge.

Does your company use Caddy?

Purchase a commercial license to use Caddy with your business and for basic email support, along with other benefits!