From 4fd2f601f676c0710b078960ad1d6c45fba8a6ca Mon Sep 17 00:00:00 2001 From: kaitranntt Date: Mon, 2 Feb 2026 23:40:04 -0500 Subject: [PATCH] fix(websocket): add maxPayload limit to prevent DoS attacks Set 1MB payload limit and disable perMessageDeflate to prevent memory exhaustion and zip bomb attacks on WebSocket server. --- src/web-server/index.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/web-server/index.ts b/src/web-server/index.ts index 51fd523c..fd64547c 100644 --- a/src/web-server/index.ts +++ b/src/web-server/index.ts @@ -32,7 +32,11 @@ export interface ServerInstance { export async function startServer(options: ServerOptions): Promise { const app = express(); const server = http.createServer(app); - const wss = new WebSocketServer({ server }); + const wss = new WebSocketServer({ + server, + maxPayload: 1024 * 1024, // 1MB hard limit to prevent DoS + perMessageDeflate: false, // Prevent zip bomb attacks + }); // JSON body parsing with error handler for malformed JSON app.use(express.json());