express: add maxBodyBytes guard for JSON parsing

Author: Theodor N. Engøy

.changeset/express-body-size-limit.md

@@ -0,0 +1,6 @@
+---
+'@modelcontextprotocol/express': patch
+---
+
+Add `maxBodyBytes` option to `createMcpExpressApp()` and enforce a default JSON request body size limit.
+

packages/middleware/express/README.md

@@ -34,6 +34,8 @@ import { createMcpExpressApp } from '@modelcontextprotocol/express';
 const app = createMcpExpressApp(); // default host is 127.0.0.1; protection enabled
 ```
 
+`createMcpExpressApp()` also installs `express.json()` with a default request body size limit (`maxBodyBytes`, default: `1_000_000` bytes).
+
 ### Streamable HTTP endpoint (Express)
 
 ```ts

packages/middleware/express/src/express.ts

@@ -3,6 +3,8 @@ import express from 'express';
 
 import { hostHeaderValidation, localhostHostValidation } from './middleware/hostHeaderValidation.js';
 
+const DEFAULT_MAX_BODY_BYTES = 1_000_000; // 1MB
+
 /**
  * Options for creating an MCP Express application.
  */
@@ -22,6 +24,14 @@ export interface CreateMcpExpressAppOptions {
      * to restrict which hostnames are allowed.
      */
     allowedHosts?: string[];
+
+    /**
+     * Maximum JSON request body size in bytes.
+     * Used by the built-in `express.json()` middleware for basic DoS resistance.
+     *
+     * @default 1_000_000 (1 MB)
+     */
+    maxBodyBytes?: number;
 }
 
 /**
@@ -48,10 +58,10 @@ export interface CreateMcpExpressAppOptions {
  * ```
  */
 export function createMcpExpressApp(options: CreateMcpExpressAppOptions = {}): Express {
-    const { host = '127.0.0.1', allowedHosts } = options;
+    const { host = '127.0.0.1', allowedHosts, maxBodyBytes = DEFAULT_MAX_BODY_BYTES } = options;
 
     const app = express();
-    app.use(express.json());
+    app.use(express.json({ limit: maxBodyBytes }));
 
     // If allowedHosts is explicitly provided, use that for validation
     if (allowedHosts) {

packages/middleware/express/test/express.test.ts

@@ -1,4 +1,5 @@
 import type { NextFunction, Request, Response } from 'express';
+import request from 'supertest';
 import { vi } from 'vitest';
 
 import { createMcpExpressApp } from '../src/express.js';
@@ -178,5 +179,17 @@ describe('@modelcontextprotocol/express', () => {
 
             warn.mockRestore();
         });
+
+        test('should enforce maxBodyBytes on the built-in JSON parser', async () => {
+            const app = createMcpExpressApp({ maxBodyBytes: 10 });
+            app.post('/echo', (_req, res) => {
+                res.status(200).json({ ok: true });
+            });
+
+            const body = JSON.stringify({ a: '0123456789' }); // > 10 bytes
+            const res = await request(app).post('/echo').set('Host', '127.0.0.1').set('Content-Type', 'application/json').send(body);
+
+            expect(res.status).toBe(413);
+        });
     });
 });

packages/middleware/node/README.md

@@ -28,6 +28,8 @@ import { McpServer } from '@modelcontextprotocol/server';
 
 const server = new McpServer({ name: 'my-server', version: '1.0.0' });
 const app = createMcpExpressApp();
+// You can tune the built-in JSON body size limit:
+// const app = createMcpExpressApp({ maxBodyBytes: 200_000 });
 
 app.post('/mcp', async (req, res) => {
     const transport = new NodeStreamableHTTPServerTransport({ sessionIdGenerator: undefined });