feat: decrease the default value of maxHttpBufferSize

This change reduces the default value from 100 mb to a more sane 1 mb. This helps protect the server against denial of service attacks by malicious clients sending huge amounts of data. Backported from 734f9d1
socketio · Jun 6, 2022 · 58e274c · 58e274c
1 parent b9dee7b
commit 58e274c
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -227,7 +227,7 @@ to a single process.
       - `upgradeTimeout` (`Number`): how many ms before an uncompleted transport upgrade is cancelled (`10000`)
       - `maxHttpBufferSize` (`Number`): how many bytes or characters a message
         can be, before closing the session (to avoid DoS). Default
-        value is `10E7`.
+        value is `1e6` (1MB).
       - `allowRequest` (`Function`): A function that receives a given handshake
         or upgrade request as its first parameter, and can decide whether to
         continue or not. The second argument is a function that needs to be

diff --git a/lib/server.js b/lib/server.js
@@ -40,7 +40,7 @@ function Server (opts) {
   this.pingTimeout = opts.pingTimeout || 5000;
   this.pingInterval = opts.pingInterval || 25000;
   this.upgradeTimeout = opts.upgradeTimeout || 10000;
-  this.maxHttpBufferSize = opts.maxHttpBufferSize || 10E7;
+  this.maxHttpBufferSize = opts.maxHttpBufferSize || 1e6;
   this.transports = opts.transports || Object.keys(transports);
   this.allowUpgrades = false !== opts.allowUpgrades;
   this.allowRequest = opts.allowRequest;