Jetty Logo
Contact the core Jetty developers at

private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... scalability guidance for your apps and Ajax/Comet projects ... development services from 1 day to full product delivery


This page contains content that we have migrated from Jetty 7 or Jetty 8 documentation into the correct format, but we have not yet audited it for technical accuracy in with Jetty 9. Be aware that examples or information contained on this page may be incorrect. Please check back soon as we continue improving the documentation, or submit corrections yourself to this page through Github. Thank you.

Limiting Form Content

Configuring Form Limits for a Webapp
Configuring Form Limits for the Server

Form content sent to the server is processed by Jetty into a map of parameters to be used by the web application. This can be vulnerable to denial of service (DOS) attacks since significant memory and CPU can be consumed if a malicious clients sends very large form content or large number of form keys. Thus Jetty limits the amount of data and keys that can be in a form posted to Jetty.

The default maximum size Jetty permits is 200000 bytes and 1000 keys. You can change this default for a particular webapp or for all webapps on a particular Server instance.

Configuring Form Limits for a Webapp

To configure the form limits for a sinlge webapplication, the context handler (or webappContext) instance must be configured using the following methods:

ContextHandler.setMaxFormContentSize(int maxSizeInBytes);
ContextHandler.setMaxFormKeys(int formKeys);    

These methods may be called directly when embedding jetty, but more commonly are configured from a context XML file or WEB-INF/jetty-web.xml file:

<Configure class="org.eclipse.jetty.webapp.WebAppContext">

  <Set name="maxFormContentSize">200000</Set>
  <Set name="maxFormKeys">200</Set>

Configuring Form Limits for the Server

If a context does not have specific form limits configured, then the server attributes are inspected to see if a server wide limit has been set on the size or keys. The following XML shows how these attributes can be set in jetty.xml:

<configure class="org.eclipse.jetty.server.Server">


  <Call name="setAttribute">
  <Call name="setAttribute">

See an error or something missing? Contribute to this documentation at Github!