Oversized HTTP request bodies can exhaust bandwidth, worker threads, and application resources, turning uploads and API endpoints into an easy denial-of-service target. Setting an explicit maximum request body size in Apache rejects abnormally large POST/PUT payloads early.

Apache HTTP Server enforces body-size limits with the core LimitRequestBody directive, which caps the total number of bytes accepted for the HTTP request body in the configuration context where it is defined (server, virtual host, directory, or .htaccess). A value of 0 means “unlimited”, and requests that exceed the configured cap are rejected instead of being processed.

Defaults and “surprise” failures depend on Apache version and vendor packaging: modern builds commonly use a 1 GiB default (1073741824 bytes), while older versions defaulted to unlimited unless explicitly configured, so upgrades can surface new HTTP 413 failures for large uploads. Reverse proxies and application stacks can also impose smaller caps (for example PHP post_max_size and upload_max_filesize), so the effective maximum upload size is the smallest limit in the chain.

Related: How to test your Apache configuration
Related: How to enable or disable Apache modules

Steps to limit request body size in Apache:

  1. Pick a maximum body size in bytes for the affected URL or directory.

    Common sizes: 1 MiB = 1048576, 10 MiB = 10485760, 50 MiB = 52428800, 100 MiB = 104857600.
    Multipart form uploads include boundaries and extra fields, so the cap should be slightly larger than the intended max file size.

  2. Identify the virtual host configuration file that serves the upload endpoint. 
    $ sudo apache2ctl -S
VirtualHost configuration:
*:80                   host.example.net (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"

    RHEL-family systems typically use /etc/httpd/conf.d/ and the httpd service name.

  3. Open the matching site configuration file for editing. 
    $ sudoedit /etc/apache2/sites-available/000-default.conf

    On Debian and Ubuntu, /etc/apache2/sites-enabled/ commonly contains symlinks to /etc/apache2/sites-available/.

  4. Add a LimitRequestBody directive in the smallest matching context for the upload URL. 
    <VirtualHost *:80>
    ServerName host.example.net

    <Location "/upload">
        LimitRequestBody 10485760
    </Location>
</VirtualHost>

    Placing LimitRequestBody directly inside <VirtualHost> applies to all requests for that host.
    The directive is also permitted in .htaccess when AllowOverride permits it, but server configuration is preferred for predictable behavior.

  5. Validate the Apache configuration syntax. 
    $ sudo apache2ctl configtest
Syntax OK

    Related: How to test your Apache configuration

  6. Reload the apache2 service to apply the change. 
    $ sudo systemctl reload apache2

    A reload applies changes without dropping existing connections on a typical systemd setup.

    Related: How to manage the Apache web server service

  7. Create a test payload larger than the configured limit. 
    $ dd if=/dev/zero of=/tmp/request-too-large.bin bs=1M count=11
11+0 records in
11+0 records out
11534336 bytes (12 MB, 11 MiB) copied, 0.0034825 s, 3.3 GB/s
  8. Send the payload to a URL covered by the limit to confirm an HTTP 413 response. 
    $ curl -s -o /dev/null -w "%{http_code}\n" -X POST --data-binary @/tmp/request-too-large.bin -H "Host: host.example.net" http://127.0.0.1/upload
413
  9. Check the Apache access log for a body-size rejection entry. 
    $ sudo tail -n 1 /var/log/apache2/access.log
127.0.0.1 - - [10/Jan/2026:13:43:35 +0800] "POST /upload HTTP/1.1" 413 572 "-" "curl/8.5.0"