---
title: Limit Upload File Size And Count
impact: HIGH
impactDescription: prevents DoS via resource exhaustion
tags: upload, dos, resource-limits, files, security, csharp
---

## Limit Upload File Size And Count

Unrestricted file uploads can exhaust server disk space and memory (DoS).

**Incorrect (unlimited):**

```csharp
[HttpPost]
public async Task<IActionResult> Upload(List<IFormFile> files)
{
    foreach (var file in files)
    {
        // No size check!
        await file.CopyToAsync(stream);
    }
}
```

**Correct (limits):**

```csharp
// Global limit in Startup
services.Configure<FormOptions>(options =>
{
    options.MultipartBodyLengthLimit = 10 * 1024 * 1024; // 10MB
});

// Action-specific limit
[HttpPost]
[RequestSizeLimit(10 * 1024 * 1024)]
public async Task<IActionResult> Upload(List<IFormFile> files)
{
    if (files.Count > 5) return BadRequest("Too many files");

    foreach (var file in files)
    {
        if (file.Length > 2 * 1024 * 1024) return BadRequest("File too large");
        // ...
    }
}
```

**Tools:** ASP.NET Core Middleware, IIS Request Filtering