TsgcWebSocketHTTPServer › Properties › MaxMessageSize
Maximum size in bytes of an inbound WebSocket message; protects the server from memory-exhaustion attacks.
property MaxMessageSize: Int64 read FMaxMessageSize write FMaxMessageSize;67108864 (64 MB). Use 0 for unlimited.
A WebSocket message has no inherent size limit, so a malicious client can try to exhaust server memory in several ways: declaring a huge frame length, never finishing a fragmented message (an endless stream of continuation frames) or sending a small per-message-deflate frame that inflates to gigabytes (a “decompression bomb”). MaxMessageSize bounds all three: the server rejects a frame whose declared length exceeds the limit, caps the total size of a reassembled fragmented message, and aborts decompression once the inflated output reaches the limit. When the limit is exceeded the connection is closed with WebSocket close code 1009 (Message Too Big).
The default of 64 MB is safe for the vast majority of applications. Raise it if your application legitimately exchanges larger messages, or lower it to tighten the memory bound on a public-facing server. A value of 0 disables the limit (not recommended for servers reachable from untrusted networks). Independently of this value, a 64-bit frame length with the high bit set is always rejected as a protocol error, so the limit cannot be bypassed by integer overflow.
The same property is available on TsgcWebSocketServer and the http.sys server TsgcWebSocketServer_HTTPAPI. For connection-rate and message-rate limiting, combine it with RateLimiter and Firewall.
oServer := TsgcWebSocketHTTPServer.Create(nil);
oServer.Port := 80;
// accept messages up to 16 MB, close 1009 on anything larger
oServer.MaxMessageSize := 16 * 1024 * 1024;
oServer.Active := true;