Maximum Request Size
Overview
The WAF enforces a configurable maximum HTTP request body size on all incoming requests. You can change this setting yourself directly from your dashboard — no need to contact support.
Any request that exceeds the configured limit is blocked before it reaches your application, and the client receives a 403 Forbidden response.
How to Change Your Upload Size Limit
- Log in to your ExpeditedWAF dashboard
- Expand Traffic Rules in the sidebar
- Click Upload Size
- Select your desired size from the dropdown
- The change is applied automatically (typically within 30 seconds)
Available Options
| Setting | Best For |
|---|---|
| 5 MB | Simple forms, text-only APIs |
| 10 MB | Standard web applications with small image uploads |
| 50 MB | Applications with document or photo uploads |
| 100 MB | Media-heavy applications, large file uploads |
| 200 MB | Video uploads, large dataset imports |
| 400 MB | Maximum available — for very large file transfers |
What Happens When a Request Is Blocked
When a request body exceeds the configured limit:
- The WAF blocks the request at the edge — it never reaches your Heroku app
- The client receives a
403 ForbiddenHTTP response - The blocked request is logged and visible in your Block Logs page
Common Use Cases
- File upload forms — If users upload images, PDFs, or other documents, ensure the limit covers your largest expected file
- Large POST bodies — Rich text editors with embedded images or complex multi-part forms can generate large payloads
- API endpoints accepting media — APIs that accept base64-encoded files or binary uploads may need a higher limit
Security Recommendation
Keep this value as low as practical for your application. A lower limit helps protect against denial-of-service attacks that use oversized request payloads to consume server resources.
Need Help?
Contact us at support@expeditedsecurity.com or book a call.