docs(config): add recommended security settings for public-facing nodes

Barbatos · Barbatos · commit 968db25552b1 · 2026-04-02T09:39:25.000+08:00
- node.http.maxRequestBodySize: 5MB default
- node.jsonrpc: maxBatchSize, maxResponseSize, maxRequestTimeout,
  maxAddressSize with geth-aligned defaults
- rate.limiter.http: recommended QPS for TriggerConstantContractServlet
  and EstimateEnergyServlet
- global.qps / global.ip.qps: recommended values in comments
- vm.maxEnergyLimitForConstant / maxConcurrentConstantCalls: recommended
  values in comments
diff --git a/framework/src/main/resources/config.conf b/framework/src/main/resources/config.conf
@@ -176,6 +176,12 @@ node {
 
   maxHttpConnectNumber = 50
 
+  http {
+    # Maximum HTTP request body size in bytes, default 5MB (aligned with geth).
+    # Rejects oversized requests before buffering. Set to 0 to disable.
+    # maxRequestBodySize = 5242880
+  }
+
   minParticipationRate = 15
 
   # allowShieldedTransactionApi = true
@@ -375,6 +381,17 @@ node {
     maxSubTopics = 1000
     # Allowed maximum number for blockFilter
     maxBlockFilterNum = 50000
+    # Maximum number of requests in a JSON-RPC batch, default 1000 (aligned with geth).
+    # Set to 0 to disable limit.
+    # maxBatchSize = 1000
+    # Maximum response size in bytes, default 25MB (aligned with geth).
+    # Set to 0 to disable limit.
+    # maxResponseSize = 26214400
+    # Maximum request processing time in seconds, default 30 (aligned with geth).
+    # maxRequestTimeout = 30
+    # Maximum number of addresses in eth_getLogs filter, default 1000 (aligned with geth).
+    # Set to 0 to disable limit.
+    # maxAddressSize = 1000
   }
 
   # Disabled api list, it will work for http, rpc and pbft, both FullNode and SolidityNode,
@@ -413,6 +430,19 @@ rate.limiter = {
     #    component = "ListWitnessesServlet",
     #    strategy = "QpsRateLimiterAdapter",
     #    paramString = "qps=1"
+    #  },
+
+    # Recommended: rate limit constant call endpoints to mitigate DoS.
+    # constant calls are free (no TRX cost) and can consume significant CPU.
+    #  {
+    #    component = "TriggerConstantContractServlet",
+    #    strategy = "QpsRateLimiterAdapter",
+    #    paramString = "qps=20"
+    #  },
+    #  {
+    #    component = "EstimateEnergyServlet",
+    #    strategy = "QpsRateLimiterAdapter",
+    #    paramString = "qps=10"
     #  }
   ],
 
@@ -442,9 +472,9 @@ rate.limiter = {
     # disconnect = 1.0
   }
 
-  # global qps, default 50000
+  # global qps, default 50000. Recommended: 10000 for public-facing nodes.
   global.qps = 50000
-  # IP-based global qps, default 10000
+  # IP-based global qps, default 10000. Recommended: 1000 for public-facing nodes.
   global.ip.qps = 10000
 }
 
@@ -688,7 +718,11 @@ trx.reference.block = "solid" // "head" or "solid"
 
 vm = {
   supportConstant = false
+  # Maximum energy for constant calls. Recommended: 10000000 for public-facing nodes.
+  # Default 100000000 (~100s CPU per call). Lower values reduce DoS attack surface.
   maxEnergyLimitForConstant = 100000000
+  # Maximum concurrent constant calls. Default 8. Set to 0 to disable limit.
+  # maxConcurrentConstantCalls = 8
   minTimeRatio = 0.0
   maxTimeRatio = 5.0
   saveInternalTx = false
