Using the Request Size Limit middleware with Tyk Classic APIs

Last updated: 3 minutes read.

The request size limit middleware enables you to apply limits to the size of requests made to your HTTP APIs. You might use this feature to protect your Tyk Gateway or upstream services from excessive memory usage or brute force attacks.

This middleware is configured in the Tyk Classic API Definition. You can do this via the Tyk Dashboard API or in the API Designer.

If you’re using the newer Tyk OAS APIs, then check out the Tyk OAS page.

Configuring the middleware in the Tyk Classic API Definition

There are three different levels of granularity that can be used when configuring a request size limit.

Applying a size limit for a specific API

You can configure a request size limit (in bytes) to an API by configuring the global_size_limit within the version element of the API Definition, for example:

"global_size_limit": 2500 

A value of zero (default) means that no maximum is set and the API-level size limit check will not be performed.

This limit is applied for all endpoints within an API. It is evaluated after the Gateway-wide size limit and before any endpoint-specific size limit. If this test fails, the Tyk Gateway will report HTTP 400 Request is too large.

Applying a size limit for a specific endpoint

The most granular control over request sizes is provided by the endpoint-level configuration. This limit will be applied after any Gateway-level or API-level size limits and is given in bytes. If this test fails, the Tyk Gateway will report HTTP 400 Request is too large.

To enable the middleware you must add a new size_limits object to the extended_paths section of your API definition.

The size_limits object has the following configuration:

  • path: the endpoint path
  • method: the endpoint HTTP method
  • size_limit: the maximum size permitted for a request to the endpoint (in bytes)

For example:

    "extended_paths": {
        "size_limits": [
                "disabled": false,
                "path": "/anything",
                "method": "POST",
                "size_limit": 100

In this example the endpoint-level Request Size Limit middleware has been configured for HTTP POST requests to the /anything endpoint. For any call made to this endpoint, Tyk will check the size of the payload (Request body) and, if it is larger than 100 bytes, will reject the request, returning HTTP 400 Request is too large.

Configuring the middleware in the API Designer

You can use the API Designer in the Tyk Dashboard to configure a request size limit for your Tyk Classic API by following these steps.

Step 1: Add an endpoint for the path and select the plugin

From the Endpoint Designer add an endpoint that matches the path for which you want to limit the size of requests. Select the Request size limit plugin.

Select middleware

Step 2: Configure the middleware

Set the request size limit, in bytes.

Configure limit

Step 3: Save the API

Use the save or create buttons to save the changes and activate the middleware.


The Tyk Classic API Designer does not provide an option to configure global_size_limit, but you can do this from the Raw Definition editor.