From b2fb8a082d0072e57ad4eb7e8f262c08631e6acc Mon Sep 17 00:00:00 2001 From: Hugh Brown Date: Tue, 3 Mar 2026 22:10:49 -0700 Subject: [PATCH] feat: make webhook payload size limit configurable Add WEBHOOK_MAX_PAYLOAD_BYTES setting (default 1 MB) so deployments with larger webhook payloads can raise the limit via environment variable instead of being hard-blocked at 1 MB. Co-Authored-By: Claude Opus 4.6 --- backend/app/api/board_webhooks.py | 4 ++-- backend/app/core/config.py | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/backend/app/api/board_webhooks.py b/backend/app/api/board_webhooks.py index 079ca3f5..499deae4 100644 --- a/backend/app/api/board_webhooks.py +++ b/backend/app/api/board_webhooks.py @@ -516,10 +516,10 @@ async def ingest_board_webhook( detail="Webhook is disabled.", ) - # Enforce a 1 MB payload size limit to prevent memory exhaustion. + # Enforce payload size limit to prevent memory exhaustion. # Read the body in chunks via request.stream() so an attacker cannot # cause OOM by sending a huge body with a missing/spoofed Content-Length. - max_payload_bytes = 1_048_576 + max_payload_bytes = settings.webhook_max_payload_bytes content_length = request.headers.get("content-length") try: cl = int(content_length) if content_length else 0 diff --git a/backend/app/core/config.py b/backend/app/core/config.py index 1534d556..3e9f6c6e 100644 --- a/backend/app/core/config.py +++ b/backend/app/core/config.py @@ -57,6 +57,9 @@ class Settings(BaseSettings): security_header_referrer_policy: str = "strict-origin-when-cross-origin" security_header_permissions_policy: str = "" + # Webhook payload size limit in bytes (default 1 MB). + webhook_max_payload_bytes: int = 1_048_576 + # Database lifecycle db_auto_migrate: bool = False