---
title: Route accepts large response from external APIs
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Route accepts large response from
  external APIs
---

# Route accepts large response from external APIs
 
## Description{% #description %}

An API endpoint accepts large responses from external APIs without enforcing size limits. When an application blindly consumes responses of arbitrary size, it becomes vulnerable to resource exhaustion attacks. A malicious or compromised third-party API could send an oversized response, leading to excessive memory consumption, denial of service, or buffer-related vulnerabilities.

## Rationale{% #rationale %}

This finding works by identifying an API route that receives responses from external APIs where the response body exceeds expected size thresholds, indicating a lack of proper response size validation.

## Remediation{% #remediation %}

- Enforce maximum response size limits when consuming external API responses
- Implement streaming or chunked reading with size checks to prevent loading entire large payloads into memory
- Set appropriate timeouts and resource limits for external API calls

### References{% #references %}

| Reference                                                                                                                         | Description                                                       |
| --------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- |
| [OWASP API10:2023 - Unsafe Consumption of APIs](https://owasp.org/API-Security/editions/2023/en/0xaa-unsafe-consumption-of-apis/) | OWASP API Security guidance on safely consuming third-party APIs. |