docs: update documentation for v1.4.0 security features

- Add JsonApiOptions configuration example to getting-started.md
- Add Query Complexity Limits section to security.md
- Add Filter Path Validation section to security.md
- Add DoS Protection section to security.md
- Update querying.md Limitations section with enforced limits
- Update upgrade-guide.md v1.4.0 section with release details

Author: erlendellefsen

docs/docs/getting-started.md

@@ -41,6 +41,21 @@ dotnet add package Intility.JsonApiToolkit
    builder.Services.AddJsonApiToolkit();
    ```
 
+   You can also configure options for query limits and pagination:
+
+   ```csharp
+   builder.Services.AddJsonApiToolkit(options => {
+       options.MaxFilters = 100;          // Default: 50
+       options.MaxFilterGroups = 20;      // Default: 10
+       options.MaxFilterDepth = 5;        // Default: 3
+       options.MaxPageSize = 200;         // Default: 100
+       options.DefaultPageSize = 25;      // Default: 10
+   });
+   ```
+
+   > [!TIP]
+   > See the [Security](security.md#query-complexity-limits) documentation for details on all available options and their security implications.
+
 2. **Inheritance:**
    Derive your API controllers from the provided `JsonApiController` to leverage helper methods that return JSON:API compliant responses.
 

docs/docs/querying.md

@@ -97,8 +97,23 @@ With this request, the toolkit will:
 
 ## Limitations
 
+JsonApiToolkit enforces the following query limits to ensure predictable performance and security:
+
+| Limit | Default | Description |
+|-------|---------|-------------|
+| Max Filters | 50 | Maximum number of filter conditions |
+| Max Filter Groups | 10 | Maximum OR/NOT logical blocks |
+| Max Filter Depth | 3 | Maximum nesting of filter groups |
+| Max Filter Value Length | 1000 | Maximum characters per filter value |
+| Max Include Depth | 3 | Maximum include path depth (e.g., `author.posts.comments`) |
+| Max Page Size | 100 | Maximum items per page (silently clamped) |
+
+These limits are configurable via `JsonApiOptions`. See the [Security](security.md#query-complexity-limits) documentation for configuration details.
+
+**Additional limitations:**
+
 - **Include filter validation**: Filters with dot notation can only be applied to relationships that are explicitly included in the request. Use the `AllowedIncludesAttribute` to control which relationships can be filtered.
-- **Complex nested filtering**: Maximum filter depth is 3 levels (e.g., `entity.relationship.property`).
+- **Filtered includes nesting**: Filtered includes currently support up to 2-level nesting (e.g., `parent.child`). Deeper nesting will fall back to unfiltered includes.
 
 ## Attribute Mapping
 

docs/docs/security.md

@@ -75,6 +75,124 @@ All matching is case-insensitive:
 Invalid patterns are logged as warnings during application startup:
 
 ```
-AllowedIncludesAttribute validation warnings for UsersController.GetUsers: 
+AllowedIncludesAttribute validation warnings for UsersController.GetUsers:
 Pattern 'user.**' contains '**' which is not supported. Use single '*' for wildcards.
 ```
+
+## Query Complexity Limits
+
+JsonApiToolkit enforces configurable limits on query complexity to prevent resource exhaustion attacks.
+
+### Configuration
+
+Configure limits via `JsonApiOptions` in your `Program.cs`:
+
+```csharp
+builder.Services.AddJsonApiToolkit(options => {
+    options.MaxFilters = 50;           // Max filter conditions (default: 50)
+    options.MaxFilterGroups = 10;      // Max OR/NOT blocks (default: 10)
+    options.MaxFilterDepth = 3;        // Max group nesting depth (default: 3)
+    options.MaxFilterValueLength = 1000; // Max value string length (default: 1000)
+    options.MaxIncludeDepth = 3;       // Max include path depth (default: 3)
+    options.MaxPageSize = 100;         // Max page size, clamped (default: 100)
+    options.DefaultPageSize = 10;      // Default when not specified (default: 10)
+});
+```
+
+### Limit Behaviors
+
+| Option | Behavior When Exceeded |
+|--------|----------------------|
+| `MaxFilters` | Returns 400 Bad Request |
+| `MaxFilterGroups` | Returns 400 Bad Request |
+| `MaxFilterDepth` | Returns 400 Bad Request |
+| `MaxFilterValueLength` | Returns 400 Bad Request |
+| `MaxIncludeDepth` | Returns 400 Bad Request |
+| `MaxPageSize` | Silently clamped to max value |
+
+### Error Response
+
+When limits are exceeded, a 400 Bad Request is returned with details:
+
+```json
+{
+  "errors": [{
+    "status": "400",
+    "code": "QUERY_TOO_COMPLEX",
+    "title": "Query exceeds complexity limits",
+    "detail": "Query contains 75 filters, but maximum allowed is 50. Reduce filter count or configure a higher limit via JsonApiOptions.MaxFilters.",
+    "source": { "parameter": "filter" },
+    "meta": {
+      "limit": 50,
+      "actual": 75,
+      "configKey": "JsonApiOptions.MaxFilters"
+    }
+  }]
+}
+```
+
+## Filter Path Validation
+
+When using `[AllowedIncludes]`, dot-notation filter paths are also validated against the allowed list.
+
+### How It Works
+
+If you use `filter[author.name]=John` (filtering the primary resource by a related entity's field), the `author` relationship must be in the `AllowedIncludes` list:
+
+```csharp
+[HttpGet("posts")]
+[AllowedIncludes("author", "comments")]
+public async Task<IActionResult> GetPosts()
+{
+    // filter[author.name]=John ✓ - allowed
+    // filter[author.bio]=X ✓ - allowed
+    // filter[admin.role]=X ✗ - 403 Forbidden (admin not in AllowedIncludes)
+    return await JsonApiQueryAsync(_context.Posts, "post");
+}
+```
+
+### Error Response
+
+When filtering on a non-allowed relationship:
+
+```json
+{
+  "errors": [{
+    "status": "403",
+    "title": "Forbidden",
+    "detail": "Filtering on relationship 'admin' is not allowed. Add 'admin' to AllowedIncludes or remove the filter."
+  }]
+}
+```
+
+> [!NOTE]
+> This validation only applies when `[AllowedIncludes]` is present. Without the attribute, all filter paths are allowed.
+
+## DoS Protection
+
+The query complexity limits protect against several denial-of-service attack vectors:
+
+### Resource Exhaustion
+Complex queries with many filters or deep nesting can cause excessive CPU usage. Limits on `MaxFilters`, `MaxFilterGroups`, and `MaxFilterDepth` prevent attackers from crafting queries that overwhelm the server.
+
+### Stack Overflow
+Deeply nested filter groups could cause stack overflow during recursive expression building. The `MaxFilterDepth` limit and internal recursion guards prevent this.
+
+### Memory Exhaustion
+Very large filter values or responses could exhaust server memory. The `MaxFilterValueLength` and `MaxPageSize` limits bound memory usage per request.
+
+### Recommended Defaults
+
+The default limits are designed to handle typical API usage while blocking abuse:
+
+| Limit | Default | Rationale |
+|-------|---------|-----------|
+| MaxFilters | 50 | Covers complex search UIs |
+| MaxFilterGroups | 10 | Allows OR chains for search |
+| MaxFilterDepth | 3 | Entity → Relationship → Property |
+| MaxFilterValueLength | 1000 | Long enough for UUIDs, GUIDs, text search |
+| MaxIncludeDepth | 3 | Matches filter depth |
+| MaxPageSize | 100 | Prevents large data dumps |
+
+> [!TIP]
+> If your application requires higher limits, increase them via configuration. Monitor query performance when raising limits.

docs/docs/upgrade-guide.md

@@ -2,7 +2,7 @@
 
 This document tracks all breaking changes, new features, and migration steps for each version of JsonApiToolkit.
 
-**Current Version:** 1.2.5
+**Current Version:** 1.4.0
 
 ---
 
@@ -227,12 +227,13 @@ public static class JsonApiMapper { ... }
 
 ### v1.4.0 - Security Hardening
 
-**Release Date:** TBD
+**Release Date:** January 2026
 
 **New Features:**
-- [x] `JsonApiOptions` configuration class
-- [x] Configurable query complexity limits
+- [x] `JsonApiOptions` configuration class for query limits
+- [x] Configurable query complexity limits (filters, groups, depth, page size)
 - [x] AllowedIncludes now validates filter paths (not just includes)
+- [x] Recursion depth guard for nested filter groups
 
 **Configuration:**
 ```csharp