Mitigate Vercel 413 upload failures with strict payload limits, validation, and user-facing error handling

[Copilot]

This PR addresses 413 FUNCTION_PAYLOAD_TOO_LARGE on Vercel by hardening the current server-upload path to block oversize payloads early, enforce file safety constraints, and return clear UI feedback instead of opaque failures.
Given the existing Flask/Vercel deployment shape, the changes focus on minimal-risk production mitigation while preserving current conversion flow.

• Upload-path hard limits (server-side)

  • Set request body cap below Vercel’s 4.5MB boundary (MAX_CONTENT_LENGTH = 4MB safety margin).
  • Enforced aggregate upload-size guard during /upload processing.
  • Added one-shot session error channel for upload-form feedback.

• Validation and safety policy

  • Introduced centralized payload validation (validate_upload_payload) for:
    • file extension whitelist (.jpg/.jpeg/.png)
    • MIME whitelist (image/jpeg, image/png)
    • per-file size limit
    • decodable raster-image check
  • Kept existing path safety controls (safe_subdir, path-under-root checks) intact.

• 413 + payload-too-large UX fallback

  • Added RequestEntityTooLarge handler that redirects to upload page with concise user-facing message.
  • Surfaced form-level error banner on the upload page for 413 and client-precheck failures.

• Client-side preflight and state recovery

  • Added reusable front-end validation helpers for type/size/total-size checks before submit.
  • Added bounded multi-error display and total-size short-circuiting.
  • Added browser-compat fallback when DataTransfer assignment is unavailable, with explicit recovery guidance.

• Critical regression coverage

  • Added focused tests for invalid type rejection, oversize file rejection, and 413 redirect/error visibility path.

# src/imgtowebp/web/app.py
app.config["MAX_CONTENT_LENGTH"] = 4 * 1024 * 1024

@app.errorhandler(RequestEntityTooLarge)
def handle_request_too_large(_error: RequestEntityTooLarge):
    session[SESSION_FORM_ERROR_ONCE_KEY] = (
        f"Upload is too large. Keep total upload size under {limit_label(UPLOAD_TOTAL_LIMIT_BYTES)}."
    )
    return redirect(url_for("index"), code=303)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
imgtowebp	Ready	Preview, Comment	May 9, 2026 4:24pm