From 4f1e9f7dc7055ed9d68f119d10abf0c3cf4c8dcb Mon Sep 17 00:00:00 2001 From: David Acker Date: Wed, 17 Aug 2022 19:08:05 -0400 Subject: [PATCH 1/7] Add request decompression middleware sample --- .../middleware/request-decompression.md | 67 +++++++++++++++++++ .../middleware/samples/readme.txt | 1 - .../7.x/CustomDecompressionProvider.cs | 14 ++++ .../request-decompression/7.x/Program.cs | 37 ++++++++++ .../7.x/RequestDecompressionSample.csproj | 9 +++ 5 files changed, 127 insertions(+), 1 deletion(-) create mode 100644 aspnetcore/fundamentals/middleware/request-decompression.md delete mode 100644 aspnetcore/fundamentals/middleware/samples/readme.txt create mode 100644 aspnetcore/fundamentals/middleware/samples/request-decompression/7.x/CustomDecompressionProvider.cs create mode 100644 aspnetcore/fundamentals/middleware/samples/request-decompression/7.x/Program.cs create mode 100644 aspnetcore/fundamentals/middleware/samples/request-decompression/7.x/RequestDecompressionSample.csproj diff --git a/aspnetcore/fundamentals/middleware/request-decompression.md b/aspnetcore/fundamentals/middleware/request-decompression.md new file mode 100644 index 000000000000..602e551dd635 --- /dev/null +++ b/aspnetcore/fundamentals/middleware/request-decompression.md @@ -0,0 +1,67 @@ +--- +title: Request Decompression in ASP.NET Core +author: david-acker +description: Learn how to use the request decompression middleware in ASP.NET Core +monikerRange: '>= aspnetcore-7.0' +ms.author: david-acker +ms.date: 8/17/2022 +uid: fundamentals/middleware/request-decompression +--- +# Request Decompression in ASP.NET Core + +By [David Acker](https://github.com/david-acker) + +The request decompression middleware enables API endpoints to start accept requests with compressed content, without requiring developers to manually include logic for identifying and decompressing these requests, by using the `Content-Encoding` HTTP header to automatically identify and decompress requests which contain compressed content. + +When the `Content-Encoding` header value on a request matches one of the available decompression providers, the middleware will use the matching provider to wrap the in an appropriate decompression stream and remove the `Content-Encoding` header (indicating that the request body is no longer compressed). For requests with uncompressed content, which specify no `Content-Encoding` header, the middleware will simply pass the requests on unchanged. + +> [!NOTE] +> * Decompression occurs when the body of the request is being read (e.g. at the endpoint, during model binding). The request body is not decompressed eagerly. +> * If the compressed data is invalid for the specified `Content-Encoding`, an exception will be thrown when attempting to read the decompressed request body. + +In the event that the middleware encounters a request with compressed content but will not be able to decompress the request, such as the request having an unsupported `Content-Encoding` header value or multiple `Content-Encoding` header values, the middleware will pass the request on changed. + +## Configuration + +The following code shows how to enable request decompression for the default `Content-Encoding` types: + +[!code-csharp[](samples/request-decompression/7.x/Program.cs?name=snippet_WithDefaultProviders&highlight=3,7)] + +## Decompression Providers + +### Default Providers + +The `Content-Encoding` header values that the request decompression middleware supports by default are listed in the following table: + +| [`Content-Encoding`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding) header values | Description | +| --------- | --------- | +| `br` | [Brotli compressed data format](https://tools.ietf.org/html/rfc7932) | +| `deflate` | [DEFLATE compressed data format](https://tools.ietf.org/html/rfc1951) | +| `gzip` | [Gzip file format](https://tools.ietf.org/html/rfc1952) | + +### Custom Providers + +Support for custom or niche encodings can be added by creating custom decompression provider classes which implement : + +[!code-csharp[](samples/request-decompression/7.x/CustomDecompressionProvider.cs?name=snippet_CustomDecompressionProvider)] + +These custom decompression providers can then be registered with along with their corresponding `Content-Encoding` header values: + +[!code-csharp[](samples/request-decompression/7.x/Program.cs?name=snippet_WithCustomProvider&highlight=3-6,10)] + +## Request Size Limits + +In order to guard against [zip bombs/decompression bombs](https://en.wikipedia.org/wiki/Zip_bomb), the maximum size of the decompressed request body is limited to the request body size limit enforced by the endpoint or server. If the number of bytes read from the decompressed request body stream exceeds this limit, an [InvalidOperationException](xref:System.InvalidOperationException) will be thrown to prevent additional bytes from being read from the stream. + +If available, the size limit specified for the endpoint by , such as or for MVC endpoints, will be used. Otherwise, the global server size limit specified by will be used. + +> [!WARNING] +> Disabling the request body size limit poses a security risk in regards to uncontrolled resource consumption, particularly if the request body is being buffered. Ensure that safeguards are in place to mitigate the risk of denial of service attacks. + +## Additional Resources + +* +* [Mozilla Developer Network: Content-Encoding](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding) +* [Brotli Compressed Data Format](https://www.rfc-editor.org/rfc/rfc7932) +* [DEFLATE Compressed Data Format Specification version 1.3](https://www.rfc-editor.org/rfc/rfc1951) +* [GZIP file format specification version 4.3](https://www.rfc-editor.org/rfc/rfc1952) \ No newline at end of file diff --git a/aspnetcore/fundamentals/middleware/samples/readme.txt b/aspnetcore/fundamentals/middleware/samples/readme.txt deleted file mode 100644 index ee57ae4b26b5..000000000000 --- a/aspnetcore/fundamentals/middleware/samples/readme.txt +++ /dev/null @@ -1 +0,0 @@ -Delete this file after writing sample for [#26541](https://github.com/dotnet/AspNetCore.Docs/issues/26541) diff --git a/aspnetcore/fundamentals/middleware/samples/request-decompression/7.x/CustomDecompressionProvider.cs b/aspnetcore/fundamentals/middleware/samples/request-decompression/7.x/CustomDecompressionProvider.cs new file mode 100644 index 000000000000..58dedc929e12 --- /dev/null +++ b/aspnetcore/fundamentals/middleware/samples/request-decompression/7.x/CustomDecompressionProvider.cs @@ -0,0 +1,14 @@ +using Microsoft.AspNetCore.RequestDecompression; + +namespace RequestDecompressionSample; + +#region snippet_CustomDecompressionProvider +public class CustomDecompressionProvider : IDecompressionProvider +{ + public Stream GetDecompressionStream(Stream stream) + { + // Perform custom decompression logic here + return stream; + } +} +#endregion diff --git a/aspnetcore/fundamentals/middleware/samples/request-decompression/7.x/Program.cs b/aspnetcore/fundamentals/middleware/samples/request-decompression/7.x/Program.cs new file mode 100644 index 000000000000..ee7775fe32a8 --- /dev/null +++ b/aspnetcore/fundamentals/middleware/samples/request-decompression/7.x/Program.cs @@ -0,0 +1,37 @@ +#define WithDefaultProviders // WithDefaultProviders WithCustomProvider + +using Microsoft.AspNetCore.Http.HttpResults; +using RequestDecompressionSample; + +#if WithDefaultProviders +#region snippet_WithDefaultProviders +var builder = WebApplication.CreateBuilder(args); + +builder.Services.AddRequestDecompression(); + +var app = builder.Build(); + +app.UseRequestDecompression(); + +app.MapPost("/", (HttpRequest request) => Results.Stream(request.Body)); + +app.Run(); +#endregion +#elif WithCustomProvider +#region snippet_WithCustomProvider +var builder = WebApplication.CreateBuilder(args); + +builder.Services.AddRequestDecompression(options => +{ + options.DecompressionProviders.Add("custom", new CustomDecompressionProvider()); +}); + +var app = builder.Build(); + +app.UseRequestDecompression(); + +app.MapPost("/", (HttpRequest request) => Results.Stream(request.Body)); + +app.Run(); +#endregion +#endif diff --git a/aspnetcore/fundamentals/middleware/samples/request-decompression/7.x/RequestDecompressionSample.csproj b/aspnetcore/fundamentals/middleware/samples/request-decompression/7.x/RequestDecompressionSample.csproj new file mode 100644 index 000000000000..f1fe53268f8d --- /dev/null +++ b/aspnetcore/fundamentals/middleware/samples/request-decompression/7.x/RequestDecompressionSample.csproj @@ -0,0 +1,9 @@ + + + + net7.0 + enable + enable + + + \ No newline at end of file From bdb56be776d1ffa0924fc64b3c5c955502d1734d Mon Sep 17 00:00:00 2001 From: David Acker Date: Wed, 17 Aug 2022 19:23:16 -0400 Subject: [PATCH 2/7] Add to table of built-in middleware --- aspnetcore/fundamentals/middleware/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/aspnetcore/fundamentals/middleware/index.md b/aspnetcore/fundamentals/middleware/index.md index c857774abcdb..e9eac056cc53 100644 --- a/aspnetcore/fundamentals/middleware/index.md +++ b/aspnetcore/fundamentals/middleware/index.md @@ -260,6 +260,7 @@ ASP.NET Core ships with the following middleware components. The *Order* column | [HTTP Strict Transport Security (HSTS)](xref:security/enforcing-ssl#http-strict-transport-security-protocol-hsts) | Security enhancement middleware that adds a special response header. | Before responses are sent and after components that modify requests. Examples: Forwarded Headers, URL Rewriting. | | [MVC](xref:mvc/overview) | Processes requests with MVC/Razor Pages. | Terminal if a request matches a route. | | [OWIN](xref:fundamentals/owin) | Interop with OWIN-based apps, servers, and middleware. | Terminal if the OWIN Middleware fully processes the request. | +| [Request Decompression](xref:fundamentals/middleware/request-decompression) | Provides support for decompressing requests. | Before components that read the request body. | | [Response Caching](xref:performance/caching/middleware) | Provides support for caching responses. | Before components that require caching. `UseCORS` must come before `UseResponseCaching`.| | [Response Compression](xref:performance/response-compression) | Provides support for compressing responses. | Before components that require compression. | | [Request Localization](xref:fundamentals/localization) | Provides localization support. | Before localization sensitive components. Must appear after Routing Middleware when using . | From 9f8f7538a71adec0ad460acc3754e9df40b1f064 Mon Sep 17 00:00:00 2001 From: David Acker Date: Wed, 17 Aug 2022 19:30:36 -0400 Subject: [PATCH 3/7] Clean up, fix typo --- aspnetcore/fundamentals/middleware/request-decompression.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aspnetcore/fundamentals/middleware/request-decompression.md b/aspnetcore/fundamentals/middleware/request-decompression.md index 602e551dd635..e2f3755aa290 100644 --- a/aspnetcore/fundamentals/middleware/request-decompression.md +++ b/aspnetcore/fundamentals/middleware/request-decompression.md @@ -11,7 +11,7 @@ uid: fundamentals/middleware/request-decompression By [David Acker](https://github.com/david-acker) -The request decompression middleware enables API endpoints to start accept requests with compressed content, without requiring developers to manually include logic for identifying and decompressing these requests, by using the `Content-Encoding` HTTP header to automatically identify and decompress requests which contain compressed content. +The request decompression middleware enables API endpoints to start accepting requests with compressed content, without requiring developers to manually handle compressed requests, by using the `Content-Encoding` HTTP header to automatically identify and decompress requests which contain compressed content. When the `Content-Encoding` header value on a request matches one of the available decompression providers, the middleware will use the matching provider to wrap the in an appropriate decompression stream and remove the `Content-Encoding` header (indicating that the request body is no longer compressed). For requests with uncompressed content, which specify no `Content-Encoding` header, the middleware will simply pass the requests on unchanged. From f3d5a77dc6934f0bac17b9f00ea2876af7ac84fb Mon Sep 17 00:00:00 2001 From: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com> Date: Wed, 17 Aug 2022 12:54:01 -1000 Subject: [PATCH 4/7] minor cleanup of RequestDecompression middleware /8 --- .../middleware/request-decompression.md | 38 ++++++++++++------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/aspnetcore/fundamentals/middleware/request-decompression.md b/aspnetcore/fundamentals/middleware/request-decompression.md index e2f3755aa290..b08ecc9959e3 100644 --- a/aspnetcore/fundamentals/middleware/request-decompression.md +++ b/aspnetcore/fundamentals/middleware/request-decompression.md @@ -3,7 +3,7 @@ title: Request Decompression in ASP.NET Core author: david-acker description: Learn how to use the request decompression middleware in ASP.NET Core monikerRange: '>= aspnetcore-7.0' -ms.author: david-acker +ms.author: riande ms.date: 8/17/2022 uid: fundamentals/middleware/request-decompression --- @@ -11,24 +11,36 @@ uid: fundamentals/middleware/request-decompression By [David Acker](https://github.com/david-acker) -The request decompression middleware enables API endpoints to start accepting requests with compressed content, without requiring developers to manually handle compressed requests, by using the `Content-Encoding` HTTP header to automatically identify and decompress requests which contain compressed content. +Request decompression middleware: -When the `Content-Encoding` header value on a request matches one of the available decompression providers, the middleware will use the matching provider to wrap the in an appropriate decompression stream and remove the `Content-Encoding` header (indicating that the request body is no longer compressed). For requests with uncompressed content, which specify no `Content-Encoding` header, the middleware will simply pass the requests on unchanged. +* Enables API endpoints to start accepting requests with compressed content. +* Uses the [`Content-Encoding`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Encoding) HTTP header to automatically identify and decompress requests which contain compressed content. +* Eliminates the need to write code to handle compressed requests. -> [!NOTE] -> * Decompression occurs when the body of the request is being read (e.g. at the endpoint, during model binding). The request body is not decompressed eagerly. -> * If the compressed data is invalid for the specified `Content-Encoding`, an exception will be thrown when attempting to read the decompressed request body. +When the `Content-Encoding` header value on a request matches one of the available decompression providers: -In the event that the middleware encounters a request with compressed content but will not be able to decompress the request, such as the request having an unsupported `Content-Encoding` header value or multiple `Content-Encoding` header values, the middleware will pass the request on changed. +* The middleware uses the matching provider to wrap the in an appropriate decompression stream. +* Remove the `Content-Encoding` header, indicating that the request body is no longer compressed. + +Requests with uncompressed content which don't include a `Content-Encoding` header are ignored by the middleware. + +Decompression: + +* Occurs when the body of the request is being read. That is, decompression occurs at the endpoint on model binding. The request body is not decompressed eagerly. +* When attempting to read the decompressed request body, if the compressed data is invalid for the specified `Content-Encoding`, an exception is thrown. + +If the middleware encounters a request with compressed content but is unable to decompress it, the request is passed to the next delegate in the pipeline. For example, a request with an unsupported `Content-Encoding` header value or multiple `Content-Encoding` header values, is passed to the next delegate in the pipeline. ## Configuration -The following code shows how to enable request decompression for the default `Content-Encoding` types: +The following code shows how to enable request decompression for the [default](#default) `Content-Encoding` types: [!code-csharp[](samples/request-decompression/7.x/Program.cs?name=snippet_WithDefaultProviders&highlight=3,7)] ## Decompression Providers + + ### Default Providers The `Content-Encoding` header values that the request decompression middleware supports by default are listed in the following table: @@ -41,22 +53,22 @@ The `Content-Encoding` header values that the request decompression middleware s ### Custom Providers -Support for custom or niche encodings can be added by creating custom decompression provider classes which implement : +Support for custom encodings can be added by creating custom decompression provider classes which implement : [!code-csharp[](samples/request-decompression/7.x/CustomDecompressionProvider.cs?name=snippet_CustomDecompressionProvider)] -These custom decompression providers can then be registered with along with their corresponding `Content-Encoding` header values: +Custom decompression providers are registered with along with their corresponding `Content-Encoding` header values: [!code-csharp[](samples/request-decompression/7.x/Program.cs?name=snippet_WithCustomProvider&highlight=3-6,10)] ## Request Size Limits -In order to guard against [zip bombs/decompression bombs](https://en.wikipedia.org/wiki/Zip_bomb), the maximum size of the decompressed request body is limited to the request body size limit enforced by the endpoint or server. If the number of bytes read from the decompressed request body stream exceeds this limit, an [InvalidOperationException](xref:System.InvalidOperationException) will be thrown to prevent additional bytes from being read from the stream. +In order to guard against [zip bombs or decompression bombs](https://en.wikipedia.org/wiki/Zip_bomb), the maximum size of the decompressed request body is limited to the request body size limit enforced by the endpoint or server. If the number of bytes read from the decompressed request body stream exceeds the limit, an [InvalidOperationException](xref:System.InvalidOperationException) is thrown to prevent additional bytes from being read from the stream. -If available, the size limit specified for the endpoint by , such as or for MVC endpoints, will be used. Otherwise, the global server size limit specified by will be used. +If available, the size limit specified for the endpoint by , such as or for MVC endpoints, is used. Otherwise, the global server size limit specified by is used. > [!WARNING] -> Disabling the request body size limit poses a security risk in regards to uncontrolled resource consumption, particularly if the request body is being buffered. Ensure that safeguards are in place to mitigate the risk of denial of service attacks. +> Disabling the request body size limit poses a security risk in regards to uncontrolled resource consumption, particularly if the request body is being buffered. Ensure that safeguards are in place to mitigate the risk of [denial-of-service](https://www.cisa.gov/uscert/ncas/tips/ST04-015) (DoS) attacks. ## Additional Resources From 05b5fb89162e6900cb92d17972630ba51be39457 Mon Sep 17 00:00:00 2001 From: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com> Date: Wed, 17 Aug 2022 14:36:14 -1000 Subject: [PATCH 5/7] minor cleanup of RequestDecompression middleware /8 --- .../middleware/request-decompression.md | 32 +++++++++++-------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/aspnetcore/fundamentals/middleware/request-decompression.md b/aspnetcore/fundamentals/middleware/request-decompression.md index b08ecc9959e3..b7e6dd40e3e4 100644 --- a/aspnetcore/fundamentals/middleware/request-decompression.md +++ b/aspnetcore/fundamentals/middleware/request-decompression.md @@ -7,20 +7,20 @@ ms.author: riande ms.date: 8/17/2022 uid: fundamentals/middleware/request-decompression --- -# Request Decompression in ASP.NET Core +# Request decompression in ASP.NET Core By [David Acker](https://github.com/david-acker) Request decompression middleware: -* Enables API endpoints to start accepting requests with compressed content. +* Enables API endpoints to accept requests with compressed content. * Uses the [`Content-Encoding`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Encoding) HTTP header to automatically identify and decompress requests which contain compressed content. * Eliminates the need to write code to handle compressed requests. -When the `Content-Encoding` header value on a request matches one of the available decompression providers: +When the `Content-Encoding` header value on a request matches one of the available decompression providers, the middleware: -* The middleware uses the matching provider to wrap the in an appropriate decompression stream. -* Remove the `Content-Encoding` header, indicating that the request body is no longer compressed. +* Uses the matching provider to wrap the in an appropriate decompression stream. +* Removes the `Content-Encoding` header, indicating that the request body is no longer compressed. Requests with uncompressed content which don't include a `Content-Encoding` header are ignored by the middleware. @@ -37,11 +37,9 @@ The following code shows how to enable request decompression for the [default](# [!code-csharp[](samples/request-decompression/7.x/Program.cs?name=snippet_WithDefaultProviders&highlight=3,7)] -## Decompression Providers - -### Default Providers +## Default decompression providers The `Content-Encoding` header values that the request decompression middleware supports by default are listed in the following table: @@ -51,9 +49,9 @@ The `Content-Encoding` header values that the request decompression middleware s | `deflate` | [DEFLATE compressed data format](https://tools.ietf.org/html/rfc1951) | | `gzip` | [Gzip file format](https://tools.ietf.org/html/rfc1952) | -### Custom Providers +## Custom decompression providers -Support for custom encodings can be added by creating custom decompression provider classes which implement : +Support for custom encodings can be added by creating custom decompression provider classes that implement : [!code-csharp[](samples/request-decompression/7.x/CustomDecompressionProvider.cs?name=snippet_CustomDecompressionProvider)] @@ -61,11 +59,17 @@ Custom decompression providers are registered with , such as or for MVC endpoints, is used. Otherwise, the global server size limit specified by is used. +* , such as or for MVC endpoints. +* If the preceding API's aren't applied, the global server size limit specified by is used. > [!WARNING] > Disabling the request body size limit poses a security risk in regards to uncontrolled resource consumption, particularly if the request body is being buffered. Ensure that safeguards are in place to mitigate the risk of [denial-of-service](https://www.cisa.gov/uscert/ncas/tips/ST04-015) (DoS) attacks. @@ -76,4 +80,4 @@ If available, the size limit specified for the endpoint by Date: Wed, 17 Aug 2022 15:23:40 -1000 Subject: [PATCH 6/7] minor cleanup of RequestDecompression middleware /8 --- aspnetcore/fundamentals/middleware/request-decompression.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aspnetcore/fundamentals/middleware/request-decompression.md b/aspnetcore/fundamentals/middleware/request-decompression.md index b7e6dd40e3e4..c4b23baa8245 100644 --- a/aspnetcore/fundamentals/middleware/request-decompression.md +++ b/aspnetcore/fundamentals/middleware/request-decompression.md @@ -22,7 +22,7 @@ When the `Content-Encoding` header value on a request matches one of the availab * Uses the matching provider to wrap the in an appropriate decompression stream. * Removes the `Content-Encoding` header, indicating that the request body is no longer compressed. -Requests with uncompressed content which don't include a `Content-Encoding` header are ignored by the middleware. +Requests that don't include a `Content-Encoding` header are ignored by the request decompression middleware. Decompression: From 31cda3eea5e2529fc10d1382760e876475b35f55 Mon Sep 17 00:00:00 2001 From: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com> Date: Thu, 18 Aug 2022 16:00:44 -1000 Subject: [PATCH 7/7] react to feedback --- aspnetcore/fundamentals/middleware/request-decompression.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aspnetcore/fundamentals/middleware/request-decompression.md b/aspnetcore/fundamentals/middleware/request-decompression.md index c4b23baa8245..47e669f7efa8 100644 --- a/aspnetcore/fundamentals/middleware/request-decompression.md +++ b/aspnetcore/fundamentals/middleware/request-decompression.md @@ -29,7 +29,7 @@ Decompression: * Occurs when the body of the request is being read. That is, decompression occurs at the endpoint on model binding. The request body is not decompressed eagerly. * When attempting to read the decompressed request body, if the compressed data is invalid for the specified `Content-Encoding`, an exception is thrown. -If the middleware encounters a request with compressed content but is unable to decompress it, the request is passed to the next delegate in the pipeline. For example, a request with an unsupported `Content-Encoding` header value or multiple `Content-Encoding` header values, is passed to the next delegate in the pipeline. +If the middleware encounters a request with compressed content but is unable to decompress it, the request is passed to the next delegate in the pipeline. For example, a request with an unsupported `Content-Encoding` header value or multiple `Content-Encoding` header values, is passed to the next delegate in the pipeline. For example, Brotli can throw `System.InvalidOperationException:` Decoder ran into invalid data, Deflate and GZip can throw `System.IO.InvalidDataException`: The archive entry was compressed using an unsupported compression method. ## Configuration @@ -69,7 +69,7 @@ In order to guard against [zip bombs or decompression bombs](https://en.wikipedi The maximum request size for an endpoint is set by: * , such as or for MVC endpoints. -* If the preceding API's aren't applied, the global server size limit specified by is used. +* The global server size limit . If not set, [`MaxRequestBodySize`](https://github.com/dotnet/aspnetcore/blob/197c1693d3c830af52b587e8d88891bc9689be44/src/Servers/Kestrel/Core/src/KestrelServerLimits.cs#L148-L157) uses the [default value](https://github.com/dotnet/aspnetcore/blob/197c1693d3c830af52b587e8d88891bc9689be44/src/Servers/Kestrel/Core/src/KestrelServerLimits.cs#L153). `MaxRequestBodySize` can be overridden per request with [`IHttpMaxRequestBodySizeFeature.MaxRequestBodySize`](xref:Microsoft.AspNetCore.Http.Features.IHttpMaxRequestBodySizeFeature.MaxRequestBodySize) > [!WARNING] > Disabling the request body size limit poses a security risk in regards to uncontrolled resource consumption, particularly if the request body is being buffered. Ensure that safeguards are in place to mitigate the risk of [denial-of-service](https://www.cisa.gov/uscert/ncas/tips/ST04-015) (DoS) attacks.