Limit Message Size Assertion

The Limit Request Size assertion allows you to specify a size limit for an entire message (including attachments) or just the XML portion of a message (not including attachments). When the request size exceeds the designated limit, the  will reject the message and terminate policy execution.
gateway90
The Limit Request Size assertion allows you to specify a size limit for an entire message (including attachments) or just the XML portion of a message (not including attachments). When the request size exceeds the designated limit, the
API Gateway
 will reject the message and terminate policy execution.
This assertion should be placed before the routing assertion in the policy.
The Limit Request Size assertion was designed to prevent Denial of Service attacks, hence the immediate cessation of the policy upon failure. If you wish to continue processing the policy even after the request size has exceeded a certain value, you could use the Compare Expression assertion with the
${request.http.header.content-length}
context variable. However be aware that this method is not foolproof as the declared content-length is easily forged or it may not be present in the request. For added protection, also include a Limit Message Size assertion later in the policy to enforce a hard cap should the policy logic be mislead by the content-length header. Also, keep in mind that the
${request.http.header.content-length}
will be smaller than the message if compression is used.
To learn about selecting the target message for this assertion, see Select a Target Message. Note that you can also select the target message in the assertion properties.
Using the Assertion
  1. Do one of the following:
    • To add the assertion to the Policy Development window, see Add an Assertion.
    • To change the configuration of an existing assertion, proceed to step 2 below.
     
  2. When adding the assertion, the 
    Message Size Limit Properties
     automatically appear; when modifying the assertion, right-click 
    <target>
    : Limit Message Size 
    in the policy window and select 
    Message Size Limit Properties
     or double-click the assertion in the policy window. The assertion properties are displayed:
  3. Configure the properties as follows:
    Setting
    Description
    Specify size limit for
    Select the target message to be controlled by the size limit:
    Request
    ,
    Response
    , or a
    context variable
    of type Message.
    The target message can also be changed by using the Message Target dialog. For more information, see Select a Target Message
    Maximum Size Limit
    Enter the maximum message size that should be accepted by the
    API Gateway
    in kilobytes (KB). The value must be a whole number or a context variable that resolves to the limit.
    The size limit entered here lets you set a stricter limit within the maximum set in the cluster-wide property
    io.xmlPartMaxBytes
    .
    Exempt MIME attachments from the size limit
    By default, the size limit applies to the entire message. To apply the limit to only the XML portion of the message and exempt any MIME attachments, select the check box.
    Messages with more than 32K of headers in the MIME attachment portion of a message will always be rejected, regardless of the setting of this check box.
  4. Click [
    OK
    ] when done.