HTTP Limits Policy

The HTTP Limits policy prevents an attacker from sending large messages that consume all your bandwidth.
This policy checks TCP protocol message sizes and headers. This policy does not check content.

This policy applies to all the APIs behind your Edge inbound endpoint. You can apply API Gateway policies to each API to enforce other API specific policies, such as throttling and JSON threat protection.

When you configure a DoS policy, violations to the HTTP Limits policy escalate as protocol errors.


To configure and use the security policies, you must:

  • Have the Anypoint Security - Edge entitlement for your Anypoint Platform account.
    If you don’t see Security in Management Center, contact your customer success manager to enable Anypoint Security for your account.

  • Have Runtime Fabric with inbound traffic configured.
    Anypoint Runtime Fabric is a container service that automates the deployment and orchestration of Mule apps and API gateways.
    See the Runtime Fabric documentation.
    Runtime Fabric requires an Anypoint Platform Platinum or higher-level subscription.

  • Enable inbound traffic on Runtime Fabric to allow Mule apps and API gateways to listen on inbound connections.

Configure an HTTP Limit Policy

You can configure and apply an HTTP Limits policy to increase or decrease default HTTP limits.

  1. Navigate to Anypoint Security, click the Create Policy icon, and select Content Attack Prevention.

  2. Add a name for your policy in the Name field.

  3. Configure the maximum sizes for message, path header and trailers in the fields below:

    Value Description

    Maximum Message Size

    The default maximum message size allowed is 104857600. If request body scanning is enabled, this value should be set no larger than required to prevent attackers from abusing request body checking and exhausting resources.
    Modify the message size based on your application needs, and base the size limits on what all of your APIs can handle.

    Maximum Path Length

    The default maximum path size allowed is 4096 bytes.

    Maximum Length Of a Single Header

    The default maximum header length allowed for is 16384 bytes.

    Maximum Length Of a Single Trailer

    The default maximum trailer length allowed is 16384 bytes.

    Maximum Number Of Headers and Trailers

    The default maximum number of headers and trailers allowed is 32 kB.

  4. If you want to filter specific HTTP methods, configure them in the Allowed HTTP Request Methods field.
    Allowed methods are: GET, POST, PATCH, HEAD, TRACE, OPTIONS, DELETE, and PUT.

  5. Click Save Policy.

Was this article helpful?

💙 Thanks for your feedback!

Edit on GitHub