Contact Free trial Login

HTTP Limits Policy

The HTTP Limits policy prevents an attacker from sending large messages that consume all your bandwidth.
This policy checks TCP protocol message sizes and headers. This policy does not check content.

This policy applies to all the APIs behind your Edge inbound endpoint. You can apply API Gateway policies to each API to enforce other API specific policies, such as throttling and JSON threat protection.

When you configure a DoS policy, violations to the HTTP Limits policy escalate as protocol errors.


To configure and use the security policies, you must:

  1. Have permission to manage policies in API Manager.

  2. Install Runtime Fabric. Anypoint Runtime Fabric is a container service that automates the deployment and orchestration of Mule apps and API gateways.

  3. Enable inbound traffic on Runtime Fabric to allow Mule apps and API gateways to listen on inbound connections.

Configure an HTTP Limit Policy

You can configure and apply an HTTP Limits policy to increase or decrease default HTTP limits.

  1. Navigate to Anypoint Security, click the Create Policy icon, and select Content Attack Prevention.

  2. Add a name for your policy in the Name field.

  3. Configure the maximum sizes for message, path header and trailers in the fields below:

    Value Description

    Maximum Message Size

    The default maximum message size allowed is 104857600. If request body scanning is enabled, this value should be set no larger than required to prevent attackers from abusing request body checking and exhausting resources.
    Modify the message size based on your application needs, and base the size limits on what all of your APIs can handle.

    Maximum Path Length

    The default maximum path size allowed is 4096 bytes.

    Maximum Length Of a Single Header

    The default maximum header length allowed for is 16384 bytes.

    Maximum Length Of a Single Trailer

    The default maximum trailer length allowed is 16384 bytes.

    Maximum Number Of Headers and Trailers

    The default maximum number of headers and trailers allowed is 32 kB.

  4. If you want to filter specific HTTP methods, configure them in the Allowed HTTP Request Methods field.
    Allowed methods are: GET, POST, PATCH, HEAD, TRACE, OPTIONS, DELETE, and PUT.

  5. Click Save Policy.

We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used and to tailor advertising. You can read more and make your cookie choices here. By continuing to use this site you are giving us your consent to do this.