Limit Properties

The Ioto web server supports configuration properties that improve security by limiting the size and scale of incoming requests. This technique is know as "sandboxing" because it creates a limited or safer area in which Ioto executes.

Limits

Description Collection of limit properties
Synopsis limits: { "Limit-Property": "Limit-Value", ...}
Example limits: { body: "100K", connections: "100", header: "10K", sessions: "20", upload: "20MB", },
Notes

All limit values may be numbers or human-readable strings with unit suffixes.

The unit suffixes can be upper or lower case. The supported units are: unlimited, infinite, kb, k, mb, m, gb, g, byte and bytes.

Ioto has sensible defaults for these limits if not explicitly specified.

limits → body

Description Sets the maximum size of the request body in POST and PUT requests.
Synopsis body: "max-size"
Example body: "100K"
Notes

The body limit defines a maximum size for a POST request body data.

For embedded applications, it is useful to limit the request body to the expected maximum. This ensures that rogue or malicious requests will not cause the server to allocate unwanted memory to servicing the request.

The default limit is 100K.

Security

This directive can be quite useful in certain denial-of-service attacks where the attacker sends large documents of a certain type.

limits → connections

Description Defines the maximum number of simultaneous client connections
Synopsis connections: "value"
Example connections: "100"
Notes

The connections limit defines the maximum number of simultaneous client connections to the server. Connections in excess of this count will be rejected. Set to "unlimited" for no limit.

This property counts the number of client socket connections. A single browser may open many separate connections (typically up to 6).

limits → header

Description Sets themaximum header size of a request.
Synopsis header: "max-size"
Example header: "32K"
Notes

The header limit defines a maximum size for the request headers. For embedded applications, it is useful to limit the maximum headers size to ensure that rogue or malicious requests will not cause the agent to allocate unwanted memory for servicing the request.

The default limit is 10K.

Security

This property can be quite useful in certain denial-of-service attacks where the attacker sends large documents of a certain type.

limits → sessions

Description Sets the maximum number of active client sessions
Synopsis sessions: "max-sessions"
Example sessions: "40"
Notes

The sessions limit property defines the maximum number of active client sessions that utilize server-side session state storage. Requests in excess of this count will be rejected. Set to "unlimited" for no limit.

This property limits the number of client sessions, whereas the "connections" limit limits the number of simultaneously connected client systems.

NOTE: that many browsers can and will initiate multiple requests when requesting a page. These will share the same session state storage.

limits → upload

Description Maximum size of an uploaded file.
Synopsis upload: "max-size"
Example upload: "20MB"
Notes

The upload limit defines the maximum size of an uploaded file. In embedded applications, it is useful to limit the maximum file upload size to ensure that rogue or malicious requests will not cause the server to allocate unwanted space for uploads.

Set to "unlimited" for no limit. If a file larger than the limit is uploaded, Ioto will reject the request and the client will receive an error. The default value is unlimited.

Security

This directive can be quite useful in certain denial-of-service attacks where the attacker sends requests with bogus URLs.

© Embedthis Software. All rights reserved.