Update JSON limits Docs for Vault

Author: biazmoreira

content/vault/global/partials/important-changes/summary-tables/1_16.mdx

@@ -19,6 +19,7 @@ Introduced | Recommendations | Edition    | Change
 1.16.0     | **Yes**         | All        | [Secrets Sync cannot be activated from chroot namespace](/vault/docs/v1.16.x/updates/important-changes#secrets-sync-cannot-be-activated-from-chroot-namespace)
 1.16.0     | No              | Enterprise | [Secrets Sync now requires setting a one-time flag before use](/vault/docs/v1.16.x/updates/important-changes#secrets-sync-now-requires-setting-a-one-time-flag-before-use)
 1.16.18    | No              | All        | [Strict validation for Azure auth login requests](/vault/docs/v1.16.x/updates/important-changes#strict-azure)
+1.16.25    | No              | All        | [JSON Payload Limits](/vault/docs/v1.16.x/updates/important-changes#json-limits)
 
 
 ### Known issues

content/vault/global/partials/important-changes/summary-tables/1_18.mdx

@@ -19,6 +19,7 @@ Introduced | Recommendations | Edition    | Change
 1.18.0     | **Yes**         | All        | [Docker image no longer contains curl](/vault/docs/v1.18.x/updates/important-changes#docker-image-no-longer-contains-curl)
 1.18.2     | **Yes**         | All        | [Anonymous product usage metrics collection](/vault/docs/v1.18.x/updates/important-changes#product-usage-reporting)
 1.18.7     | No              | All        | [Strict validation for Azure auth login requests](/vault/docs/v1.18.x/updates/important-changes#azure-auth-plugin-requires-resource_group_name-vm_name-and-vmss_name-to-match-the-jwt-claims-on-login)
+1.18.14    | No              | All        | [JSON Payload Limits](/vault/docs/v1.18.x/updates/important-changes#json-limits)
 
 
 ### Known issues

content/vault/global/partials/important-changes/summary-tables/1_19.mdx

@@ -22,6 +22,7 @@ Introduced | Recommendations | Edition    | Change
 1.19.0     | No              | All        | [RADIUS authentication is no longer case sensitive](/vault/docs/v1.19.x/updates/important-changes#case-sensitive)
 1.19.0     | No              | All        | [Transit support for Ed25519ph and Ed25519ctx signatures](/vault/docs/v1.19.x/updates/important-changes#ed25519)
 1.19.1     | **Yes**         | All        | [Strict validation for Azure auth login requests](/vault/docs/v1.19.x/updates/important-changes#strict-azure)
+1.19.9     | No              | All        | [JSON Payload Limits](/vault/docs/v1.19.x/updates/important-changes#json-limits)
 
 
 ### Known issues

content/vault/global/partials/important-changes/summary-tables/1_20.mdx

@@ -14,6 +14,8 @@ Introduced | Recommendations | Edition    | Change
 ---------- | --------------- | ---------- | ------
 1.20.0     | **Yes**         | All        | [Key pair authentication for Snowflake DB secrets engine](/vault/docs/v1.20.x/updates/important-changes#snowflake-keypair-auth)
 1.20.0     | **Yes**         | All        | [Audience warning for Kubernetes authentication roles](#k8-audience-warning)
+1.20.3     | No              | All        | [JSON Payload Limits](/vault/docs/v1.20.x/updates/important-changes#json-limits)
+
 
 
 ### Known issues

content/vault/v1.16.x/content/api-docs/index.mdx

@@ -316,4 +316,19 @@ A maximum request size of 32MB is imposed to prevent a denial of service attack
 with arbitrarily large requests; this can be tuned per `listener` block in
 Vault's server configuration file.
 
+Vault also supports several listener options to enforce payload size limits for to incoming JSON
+request bodies.
+
+You can configure the payload limits individullly on each listener and give
+administrators granular control over the:
+
+- maximum allowed nesting depth of a JSON object or array (`max_json_depth`).
+- maximum allowed length for any single string value in the payload (`max_json_string_value_length`.)
+- maximum number of key-value pairs allowed in a single JSON object (`max_json_object_entry_count`).
+- maximum number of elements permitted in a single JSON array `max_json_array_element_count`.
+
+The configuration defaults provide intentionally generous limits to accommodate
+a wide range of legitimate use cases while still guarding against most malicious
+or malformed requests.
+
 [proxy]: /vault/docs/agent-and-proxy/proxy#listener-stanza

content/vault/v1.18.x/content/api-docs/index.mdx

@@ -340,4 +340,19 @@ A maximum request size of 32MB is imposed to prevent a denial of service attack
 with arbitrarily large requests; this can be tuned per `listener` block in
 Vault's server configuration file.
 
+Vault also supports several listener options to enforce payload size limits for to incoming JSON
+request bodies.
+
+You can configure the payload limits individullly on each listener and give
+administrators granular control over the:
+
+- maximum allowed nesting depth of a JSON object or array (`max_json_depth`).
+- maximum allowed length for any single string value in the payload (`max_json_string_value_length`.)
+- maximum number of key-value pairs allowed in a single JSON object (`max_json_object_entry_count`).
+- maximum number of elements permitted in a single JSON array `max_json_array_element_count`.
+
+The configuration defaults provide intentionally generous limits to accommodate
+a wide range of legitimate use cases while still guarding against most malicious
+or malformed requests.
+
 [proxy]: /vault/docs/agent-and-proxy/proxy#listener-stanza

content/vault/v1.18.x/content/docs/upgrading/upgrade-to-1.16.x.mdx

@@ -2,8 +2,8 @@
 layout: docs
 page_title: Upgrade to Vault 1.16.x - Guides
 description: |-
-  Deprecations, important or breaking changes, and remediation recommendations
-  for anyone upgrading to 1.16.x from Vault 1.15.x.
+Deprecations, important or breaking changes, and remediation recommendations
+for anyone upgrading to 1.16.x from Vault 1.15.x.
 ---
 
 # Overview
@@ -18,13 +18,13 @@ Vault 1.15. **Please read carefully**.
 
 ## Important changes
 
-### JSON payload limits (##json-payload-limits)
+### JSON Payload Limits ((#json-limits))
 
-| Change       | Affected version | Vault edition
-| ------------ | ---------------- | -------------
-| New behavior | 1.16.25           | All
-|              |                  |              |
-|              |                  |              |
+| Change       | Affected version                 | Vault edition |
+|--------------|----------------------------------|---------------|
+| New behavior | 1.16.25, 1.18.14, 1.19.9, 1.20.3 | All           |
+|              |                                  |               |
+|              |                                  |               |
 
 To guard against potential Denial-of-Service (DoS) attacks, Vault now supports
 several listener options to enforce payload size limits for to incoming JSON
@@ -79,9 +79,9 @@ more details on plugin environment variables.
 
 <Highlight title="Avoid conflicts with containerized plugins">
 
-  Containerized plugins do not inherit system-defined environment variables. As
-  a result, containerized plugins cannot have conflicts with Vault environment
-  variables.
+    Containerized plugins do not inherit system-defined environment variables. As
+    a result, containerized plugins cannot have conflicts with Vault environment
+    variables.
 
 </Highlight>
 
@@ -98,10 +98,10 @@ $ export VAULT_PLUGIN_USE_LEGACY_ENV_LAYERING=true
 Setting `VAULT_PLUGIN_USE_LEGACY_ENV_LAYERING` to `true` tells Vault to:
 
 1. prioritize environment variables from the Vault server environment whenever
-   the system detects a variable conflict.
+the system detects a variable conflict.
 1. report on plugin variable conflicts during the unseal process by printing
-   warnings for plugins with conflicting environment variables or logging an
-   informational entry when there are no conflicts.
+warnings for plugins with conflicting environment variables or logging an
+informational entry when there are no conflicts.
 
 For example, assume you set `VAULT_PLUGIN_USE_LEGACY_ENV_LAYERING` to `true`
 and have an environment variable `SOURCE=parent`.
@@ -161,14 +161,14 @@ endpoint, will result in the following warning from Vault:
 
 <CodeBlockConfig hideClipboard>
 
-  ```shell-session
+    ```shell-session
 
-  WARNING! The following warnings were returned from Vault:
+    WARNING! The following warnings were returned from Vault:
 
-  * default_report_months is deprecated: defaulting to billing start time
+    * default_report_months is deprecated: defaulting to billing start time
 
 
-  ```
+    ```
 
 </CodeBlockConfig>
 
@@ -180,14 +180,15 @@ Attempts to set `current_billing_period` will result in the following warning fr
 
 <CodeBlockConfig hideClipboard>
 
-  ```shell-session
+    ```shell-session
 
-  WARNING! The following warnings were returned from Vault:
+    WARNING! The following warnings were returned from Vault:
 
-  * current_billing_period is deprecated; unless otherwise specified, all requests will default to the current billing period
+    * current_billing_period is deprecated; unless otherwise specified, all requests will default to the current billing
+    period
 
 
-  ```
+    ```
 
 </CodeBlockConfig>
 

content/vault/v1.18.x/content/docs/upgrading/upgrade-to-1.18.x.mdx

@@ -18,47 +18,29 @@ Vault 1.17. **Please read carefully**.
 
 ## Important changes
 
-### JSON Payload Limits
-
-| Change       | Affected version | Vault edition
-| ------------ | ---------------- | -------------
-| New behavior | 1.18.14           | All
-|              |                  |              |
-|              |                  |              |
-
-To provide deeper protection against potential Denial-of-Service (DoS) attacks, this release
-introduces several new security limits that are applied to incoming JSON request bodies.
-These settings are configured on a listener and give administrators granular control over the
-structure and size of JSON payloads that Vault will process.
-We've chosen defaults that are intentionally generous to accommodate a wide range of
-legitimate use cases, but they provide a strong defense against malicious or malformed requests.
-
-`max_json_depth`
-This parameter specifies the maximum allowed nesting depth of a JSON object or array.
-It serves as a critical defense against "JSON depth bomb" attacks, where a malicious
-client sends a deeply nested payload to cause a stack overflow on the server.
-The default value is 500, which is well above the nesting level of any typical
-Vault configuration or secret, providing a robust safeguard without impacting normal operations.
-
-`max_json_string_value_length`
-This parameter defines the maximum allowed length for any single string value
-within a JSON payload, measured in bytes. This limit prevents a client from
-sending a request with an extremely large string to cause excessive memory allocation on the server.
-The default value is 1,048,576 bytes (1MB), which is aligned with Vault's default storage backend
-limit and is large enough to comfortably accommodate common secrets like full TLS certificate chains.
-
-`max_json_object_entry_count`
-This parameter sets the maximum number of key-value pairs allowed in a single JSON object.
-This is a direct defense against HashDoS (Hash Flooding) attacks, where an attacker could send
-an object with an enormous number of keys to overwhelm the server's CPU. A legitimate JSON object
-with more than 10,000 keys is extremely rare, so the default provides a high ceiling for normal operations
-while ensuring server stability.
-
-`max_json_array_element_count`
-This parameter determines the maximum number of elements permitted in a single JSON array.
-Its primary purpose is to protect the server from having to construct and hold a massive,
-memory-intensive array in a single API response, which is most common during LIST operations on secrets paths.
-The default of 10,000 elements acts as a sensible guardrail.
+### JSON Payload Limits ((#json-limits))
+
+| Change       | Affected version                 | Vault edition |
+|--------------|----------------------------------|---------------|
+| New behavior | 1.16.25, 1.18.14, 1.19.9, 1.20.3 | All           |
+|              |                                  |               |
+|              |                                  |               |
+
+To guard against potential Denial-of-Service (DoS) attacks, Vault now supports
+several listener options to enforce payload size limits for to incoming JSON
+request bodies.
+
+You can configure the payload limits individullly on each listener and give
+administrators granular control over the:
+
+- maximum allowed nesting depth of a JSON object or array (`max_json_depth`).
+- maximum allowed length for any single string value in the payload (`max_json_string_value_length`.)
+- maximum number of key-value pairs allowed in a single JSON object (`max_json_object_entry_count`).
+- maximum number of elements permitted in a single JSON array `max_json_array_element_count`.
+
+The configuration defaults provide intentionally generous limits to accommodate
+a wide range of legitimate use cases while still guarding against most malicious
+or malformed requests.
 
 ### Rekey cancellations use a nonce ((#rekey-cancel-nonce))
 | Change       | Affected version | Affected deployments

content/vault/v1.19.x/content/api-docs/index.mdx

@@ -340,4 +340,19 @@ A maximum request size of 32MB is imposed to prevent a denial of service attack
 with arbitrarily large requests; this can be tuned per `listener` block in
 Vault's server configuration file.
 
+Vault also supports several listener options to enforce payload size limits for to incoming JSON
+request bodies.
+
+You can configure the payload limits individullly on each listener and give
+administrators granular control over the:
+
+- maximum allowed nesting depth of a JSON object or array (`max_json_depth`).
+- maximum allowed length for any single string value in the payload (`max_json_string_value_length`.)
+- maximum number of key-value pairs allowed in a single JSON object (`max_json_object_entry_count`).
+- maximum number of elements permitted in a single JSON array `max_json_array_element_count`.
+
+The configuration defaults provide intentionally generous limits to accommodate
+a wide range of legitimate use cases while still guarding against most malicious
+or malformed requests.
+
 [proxy]: /vault/docs/agent-and-proxy/proxy#listener-stanza

content/vault/v1.19.x/content/docs/updates/important-changes.mdx

@@ -22,47 +22,29 @@ before upgrading Vault.
 
 ## New behavior
 
-### JSON Payload Limits
-
-| Change       | Affected version | Vault edition
-| ------------ | ---------------- | -------------
-| New behavior | 1.19.9           | All
-|              |                  |              |
-|              |                  |              |
-
-To provide deeper protection against potential Denial-of-Service (DoS) attacks, this release
-introduces several new security limits that are applied to incoming JSON request bodies.
-These settings are configured on a listener and give administrators granular control over the
-structure and size of JSON payloads that Vault will process.
-We've chosen defaults that are intentionally generous to accommodate a wide range of
-legitimate use cases, but they provide a strong defense against malicious or malformed requests.
-
-`max_json_depth`
-This parameter specifies the maximum allowed nesting depth of a JSON object or array.
-It serves as a critical defense against "JSON depth bomb" attacks, where a malicious
-client sends a deeply nested payload to cause a stack overflow on the server.
-The default value is 500, which is well above the nesting level of any typical
-Vault configuration or secret, providing a robust safeguard without impacting normal operations.
-
-`max_json_string_value_length`
-This parameter defines the maximum allowed length for any single string value
-within a JSON payload, measured in bytes. This limit prevents a client from
-sending a request with an extremely large string to cause excessive memory allocation on the server.
-The default value is 1,048,576 bytes (1MB), which is aligned with Vault's default storage backend
-limit and is large enough to comfortably accommodate common secrets like full TLS certificate chains.
-
-`max_json_object_entry_count`
-This parameter sets the maximum number of key-value pairs allowed in a single JSON object.
-This is a direct defense against HashDoS (Hash Flooding) attacks, where an attacker could send
-an object with an enormous number of keys to overwhelm the server's CPU. A legitimate JSON object
-with more than 10,000 keys is extremely rare, so the default provides a high ceiling for normal operations
-while ensuring server stability.
-
-`max_json_array_element_count`
-This parameter determines the maximum number of elements permitted in a single JSON array.
-Its primary purpose is to protect the server from having to construct and hold a massive,
-memory-intensive array in a single API response, which is most common during LIST operations on secrets paths.
-The default of 10,000 elements acts as a sensible guardrail.
+### JSON Payload Limits ((#json-limits))
+
+| Change       | Affected version                 | Vault edition |
+|--------------|----------------------------------|---------------|
+| New behavior | 1.16.25, 1.18.14, 1.19.9, 1.20.3 | All           |
+|              |                                  |               |
+|              |                                  |               |
+
+To guard against potential Denial-of-Service (DoS) attacks, Vault now supports
+several listener options to enforce payload size limits for to incoming JSON
+request bodies.
+
+You can configure the payload limits individullly on each listener and give
+administrators granular control over the:
+
+- maximum allowed nesting depth of a JSON object or array (`max_json_depth`).
+- maximum allowed length for any single string value in the payload (`max_json_string_value_length`.)
+- maximum number of key-value pairs allowed in a single JSON object (`max_json_object_entry_count`).
+- maximum number of elements permitted in a single JSON array `max_json_array_element_count`.
+
+The configuration defaults provide intentionally generous limits to accommodate
+a wide range of legitimate use cases while still guarding against most malicious
+or malformed requests.
 
 ### Transit support for Ed25519ph and Ed25519ctx signatures ((#ed25519))