software

Your API Returns 400 for Huge Payloads? Congratulations. You Just Built a Polite DoS Gateway

Published: (February 18, 2026 at 10:00 PM EST)
2 min read
Source: Dev.to

Source: Dev.to

The Problem with Returning 400 for Oversized Payloads

When a client sends a massive request body, many APIs respond with:

400 Bad Request

This response is misleading. An oversized payload should be rejected with 413 Payload Too Large, which explicitly tells the client that the request size exceeds the server’s limits. Returning 400 suggests a problem with the data itself, not with its size.

Consequences of the Wrong Status Code

If the server returns 400 after already starting to process the request, it may have already:

  • Consumed CPU and memory resources
  • Opened database connections
  • Performed other expensive operations

When multiple concurrent oversized requests arrive, the cumulative effect can turn a simple validation issue into a denial‑of‑service (DoS) scenario.

Large Payload Test in Rentgen

To catch this class of bug, Rentgen includes a Large Payload Test:

  • Takes a valid request and inflates only the body size.
  • Keeps JSON structure and headers correct.
  • Expects an immediate 413 response at the size boundary.

Any other response indicates that the server is doing unnecessary work.

Real‑World Example

The issue was discovered in the ChatGPT API, where oversized payloads were processed incorrectly. After reporting, the bug was fixed within a day, demonstrating how critical proper handling is.

Why This Bug Persists

  • Human assumptions: Developers often assume that a generic error code is sufficient.
  • Lack of discipline: Proper status codes are a simple, “boring” fix that prevents larger problems.

The Simple Fix

  • Return 413 Payload Too Large for requests that exceed the allowed size.
  • Ensure the server rejects the request early, without processing the body.

Takeaway

Consistently returning 413 isn’t about being strict; it’s about being responsible. Properly handling large payloads prevents unnecessary resource consumption and protects your API from inadvertent DoS attacks.

Full story and technical breakdown: https://rentgen.io/api-stories/large-payload-handling.html

0 views
#software #programming #community
View source
Share:
Back to Blog

Related posts

Read more »

Apex B. OpenClaw, Local Embeddings.

Local Embeddings para Private Memory Search Por default, el memory search de OpenClaw envía texto a un embedding API externo típicamente Anthropic u OpenAI par...