fix(websocket): add maxPayload limit to prevent DoS attacks

Set 1MB payload limit and disable perMessageDeflate to prevent
memory exhaustion and zip bomb attacks on WebSocket server.
This commit is contained in:
kaitranntt
2026-02-02 23:40:04 -05:00
parent 24b03121fd
commit 4fd2f601f6
+5 -1
View File
@@ -32,7 +32,11 @@ export interface ServerInstance {
export async function startServer(options: ServerOptions): Promise<ServerInstance> {
const app = express();
const server = http.createServer(app);
const wss = new WebSocketServer({ server });
const wss = new WebSocketServer({
server,
maxPayload: 1024 * 1024, // 1MB hard limit to prevent DoS
perMessageDeflate: false, // Prevent zip bomb attacks
});
// JSON body parsing with error handler for malformed JSON
app.use(express.json());