Added option for json payload size

Author: stevenpeh-tw

mcp-openapi/README.md

@@ -510,11 +510,33 @@ The MCP server provides authentication-aware error handling with structured resp
 
 ### Security Features
 
+- **Request Size Limiting**: Configurable JSON payload size limits prevent DoS attacks (default: 2MB)
 - **Security Event Logging**: 401/403 errors are logged with `[SECURITY]` prefix for monitoring
 - **Error Context Preservation**: Backend API error responses are included in `details`
 - **Privacy Protection**: Query parameters are stripped from URLs in error messages
 - **Structured Responses**: All errors return JSON with consistent format instead of throwing exceptions
 
+#### Request Size Configuration
+
+The server automatically limits JSON request body sizes to prevent denial-of-service attacks and memory exhaustion:
+
+```bash
+# Use default 2MB limit
+mcp-openapi-server --http
+
+# Set custom limit
+mcp-openapi-server --http --max-request-size 5mb
+
+# Other valid formats
+mcp-openapi-server --max-request-size 1024kb
+mcp-openapi-server --max-request-size 512kb
+```
+
+**Recommended limits for banking APIs:**
+- **Conservative**: `1mb` - Handles most banking operations with safety margin
+- **Standard**: `2mb` (default) - Balances security and functionality  
+- **Liberal**: `5mb` - For batch operations or document attachments
+
 ## OpenAPI Specification Setup
 
 ### Custom Spec IDs
@@ -643,6 +665,7 @@ interface ServerOptions {
   verbose?: boolean;          // Enable verbose logging
   baseUrl?: string;           // Base URL for backend APIs (overrides config file)
   maxToolNameLength?: number; // Maximum length for generated tool names (default: 48)
+  maxRequestSize?: string;    // Maximum size for JSON request bodies (default: "2mb")
 }
 ```
 
@@ -656,6 +679,7 @@ Options:
   --port <number>                  Port for HTTP server mode (default: "4000")
   --base-url <url>                 Base URL for backend APIs (overrides config file)
   --max-tool-name-length <number>  Maximum length for generated tool names (default: "48")
+  --max-request-size <size>        Maximum size for JSON request bodies (default: "2mb")
   --http                           Run in HTTP server mode instead of stdio (default: false)
   -v, --verbose                    Enable verbose logging (default: true)
   -h, --help                       Display help for command

mcp-openapi/src/cli.ts

@@ -19,6 +19,7 @@ program
   .option('--port <number>', 'Port for HTTP server mode', '4000')
   .option('--base-url <url>', 'Base URL for backend APIs (overrides config file)')
   .option('--max-tool-name-length <number>', 'Maximum length for generated tool names', '48')
+  .option('--max-request-size <size>', 'Maximum size for JSON request bodies', '2mb')
   .option('--http', 'Run in HTTP server mode instead of stdio', false)
   .option('-v, --verbose', 'Enable verbose logging', true)
   .action(async (options) => {
@@ -29,7 +30,8 @@ program
       port: parseInt(options.port),
       verbose: options.verbose,
       ...(options.baseUrl && { baseUrl: options.baseUrl }),
-      ...(options.maxToolNameLength && { maxToolNameLength: parseInt(options.maxToolNameLength) })
+      ...(options.maxToolNameLength && { maxToolNameLength: parseInt(options.maxToolNameLength) }),
+      ...(options.maxRequestSize && { maxRequestSize: options.maxRequestSize })
     };
 
     const server = new MCPOpenAPIServer(serverOptions);

mcp-openapi/src/server.ts

@@ -63,6 +63,7 @@ export class MCPOpenAPIServer {
       port: 4000,
       verbose: true,
       maxToolNameLength: 48,
+      maxRequestSize: '2mb',
       ...options
     };
 
@@ -102,7 +103,7 @@ export class MCPOpenAPIServer {
   private setupExpress() {
     const corsOptions = this.config.cors || {};
     this.app.use(cors(corsOptions));
-    this.app.use(express.json());
+    this.app.use(express.json({ limit: this.options.maxRequestSize }));
   }
 
   async initialize(): Promise<void> {

mcp-openapi/src/types.ts

@@ -86,4 +86,5 @@ export interface ServerOptions {
   verbose?: boolean;
   baseUrl?: string;
   maxToolNameLength?: number;
+  maxRequestSize?: string;
 }