[![NPM Version][npm-version-image]][npm-url] [![NPM Downloads][npm-downloads-image]][npm-url] [![Build Status][ci-image]][ci-url] [![Test Coverage][coveralls-image]][coveralls-url] [![OpenSSF Scorecard Badge][ossf-scorecard-badge]][ossf-scorecard-visualizer]
Node.js body parsing middleware.
Parse incoming request bodies in a middleware before your handlers, available
under the req.body property.
Note As req.body's shape is based on user-controlled input, all
properties and values in this object are untrusted and should be validated
before trusting. For example, req.body.foo.toString() may fail in multiple
ways, for example the foo property may not be there or may not be a string,
and toString may not be a function and instead a string or other user input.
Learn about the anatomy of an HTTP transaction in Node.js.
This does not handle multipart bodies, due to their complex and typically large nature. For multipart bodies, you may be interested in the following modules:
This module provides the following parsers:
Other body parsers you might be interested in:
$ npm install body-parser
// Import all parsers
const bodyParser = require('body-parser')
// Or import individual parsers directly
const json = require('body-parser/json')
const urlencoded = require('body-parser/urlencoded')
const raw = require('body-parser/raw')
const text = require('body-parser/text')
The bodyParser object exposes various factories to create middlewares. All
middlewares will populate the req.body property with the parsed body when
the Content-Type request header matches the type option.
The various errors returned by this module are described in the errors section.
Returns middleware that only parses json and only looks at requests where
the Content-Type header matches the type option. This parser accepts any
Unicode encoding of the body and supports automatic inflation of gzip,
br (brotli) and deflate encodings.
A new body object containing the parsed data is populated on the request
object after the middleware (i.e. req.body).
The json function takes an optional options object that may contain any of
the following keys:
Specify the default character set for the json content if the charset is not
specified in the Content-Type header of the request. Defaults to utf-8.
When set to true, then deflated (compressed) bodies will be inflated; when
false, deflated bodies are rejected. Defaults to true.
Controls the maximum request body size. If this is a number, then the value
specifies the number of bytes; if it is a string, the value is passed to the
bytes library for parsing. Defaults
to '100kb'.
It’s recommended not to configure a very high limit and to use the default value whenever possible. Allowing larger payloads increases memory usage because of the resources required for decoding and transformations, and it can also lead to longer response times as more data is processed. By ‘very high’, we mean values above the default, for example payloads of 5 MB or more can already start to introduce these risks. With the default limits, these issues do not occur.
The reviver option is passed directly to JSON.parse as the second
argument. You can find more information on this argument
in the MDN documentation about JSON.parse.
When set to true, will only accept arrays and objects; when false will
accept anything JSON.parse accepts. Defaults to true.
The type option is used to determine what media type the middleware will
parse. This option can be a string, array of strings, or a function. If not a
function, type option is passed directly to the
type-is library and this can
be an extension name (like json), a mime type (like application/json), or
a mime type with a wildcard (like */* or */json). If a function, the type
option is called as fn(req) and the request is parsed if it returns a truthy
value. Defaults to application/json.
The verify option, if supplied, is called as verify(req, res, buf, encoding),
where buf is a Buffer of the raw request body and encoding is the
encoding of the request. The parsing can be aborted by throwing an error.
Returns middleware that parses all bodies as a Buffer and only looks at
requests where the Content-Type header matches the type option. This
parser supports automatic inflation of gzip, br (brotli) and deflate
encodings.
A new body object containing the parsed data is populated on the request
object after the middleware (i.e. req.body). This will be a Buffer object
of the body.
The raw function takes an optional options object that may contain any of
the following keys:
When set to true, then deflated (compressed) bodies will be inflated; when
false, deflated bodies are rejected. Defaults to true.
Controls the maximum request body size. If this is a number, then the value
specifies the number of bytes; if it is a string, the value is passed to the
bytes library for parsing. Defaults
to '100kb'.
It’s recommended not to configure a very high limit and to use the default value whenever possible. Allowing larger payloads increases memory usage because of the resources required for decoding and transformations, and it can also lead to longer response times as more data is processed. By ‘very high’, we mean values above the default, for example payloads of 5 MB or more can already start to introduce these risks. With the default limits, these issues do not occur.
The type option is used to determine what media type the middleware will
parse. This option can be a string, array of strings, or a function.
If not a function, type option is passed directly to the
type-is library and this
can be an extension name (like bin), a mime type (like
application/octet-stream), or a mime type with a wildcard (like */* or
application/*). If a function, the type option is called as fn(req)
and the request is parsed if it returns a truthy value. Defaults to
application/octet-stream.
The verify option, if supplied, is called as verify(req, res, buf, encoding),
where buf is a Buffer of the raw request body and encoding is the
encoding of the request. The parsing can be aborted by throwing an error.
Returns middleware that parses all bodies as a string and only looks at
requests where the Content-Type header matches the type option. This
parser supports automatic inflation of gzip, br (brotli) and deflate
encodings.
A new body string containing the parsed data is populated on the request
object after the middleware (i.e. req.body). This will be a string of the
body.
The text function takes an optional options object that may contain any of
the following keys:
Specify the default character set for the text content if the charset is not
specified in the Content-Type header of the request. Defaults to utf-8.
When set to true, then deflated (compressed) bodies will be inflated; when
false, deflated bodies are rejected. Defaults to true.
Controls the maximum request body size. If this is a number, then the value
specifies the number of bytes; if it is a string, the value is passed to the
bytes library for parsing. Defaults
to '100kb'.
It’s recommended not to configure a very high limit and to use the default value whenever possible. Allowing larger payloads increases memory usage because of the resources required for decoding and transformations, and it can also lead to longer response times as more data is processed. By ‘very high’, we mean values above the default, for example payloads of 5 MB or more can already start to introduce these risks. With the default limits, these issues do not occur.
The type option is used to determine what media type the middleware will
parse. This option can be a string, array of strings, or a function. If not
a function, type option is passed directly to the
type-is library and this can
be an extension name (like txt), a mime type (like text/plain), or a mime
type with a wildcard (like */* or text/*). If a function, the type
option is called as fn(req) and the request is parsed if it returns a
truthy value. Defaults to text/plain.
The verify option, if supplied, is called as verify(req, res, buf, encoding),
where buf is a Buffer of the raw request body and encoding is the
encoding of the request. The parsing can be aborted by throwing an error.
Returns middleware that only parses urlencoded bodies and only looks at
requests where the Content-Type header matches the type option. This
parser accepts only UTF-8 and ISO-8859-1 encodings of the body and supports
automatic inflation of gzip, br (brotli) and deflate encodings.
A new body object containing the parsed data is populated on the request
object after the middleware (i.e. req.body). This object will contain
key-value pairs, where the value can be a string or array (when extended is
false), or any type (when extended is true).
The urlencoded function takes an optional options object that may contain
any of the following keys:
The "extended" syntax allows for rich objects and arrays to be encoded into the URL-encoded format, allowing for a JSON-like experience with URL-encoded. For more information, please see the qs library.
Defaults to false.
When set to true, then deflated (compressed) bodies will be inflated; when
false, deflated bodies are rejected. Defaults to true.
Controls the maximum request body size. If this is a number, then the value
specifies the number of bytes; if it is a string, the value is passed to the
bytes library for parsing. Defaults
to '100kb'.
It’s recommended not to configure a very high limit and to use the default value whenever possible. Allowing larger payloads increases memory usage because of the resources required for decoding and transformations, and it can also lead to longer response times as more data is processed. By ‘very high’, we mean values above the default, for example payloads of 5 MB or more can already start to introduce these risks. With the default limits, these issues do not occur.
The parameterLimit option controls the maximum number of parameters that
are allowed in the URL-encoded data. If a request contains more parameters
than this value, a 413 will be returned to the client. Defaults to 1000.
The type option is used to determine what media type the middleware will
parse. This option can be a string, array of strings, or a function. If not
a function, type option is passed directly to the
type-is library and this can
be an extension name (like urlencoded), a mime type (like
application/x-www-form-urlencoded), or a mime type with a wildcard (like
*/x-www-form-urlencoded). If a function, the type option is called as
fn(req) and the request is parsed if it returns a truthy value. Defaults
to application/x-www-form-urlencoded.
The verify option, if supplied, is called as verify(req, res, buf, encoding),
where buf is a Buffer of the raw request body and encoding is the
encoding of the request. The parsing can be aborted by throwing an error.
The default charset to parse as, if not specified in content-type. Must be
either utf-8 or iso-8859-1. Defaults to utf-8.
Whether to let the value of the utf8 parameter take precedence as the charset
selector. It requires the form to contain a parameter named utf8 with a value
of ✓. Defaults to false.
Whether to decode numeric entities such as ☺ when parsing an iso-8859-1
form. Defaults to false.
The depth option is used to configure the maximum depth of the qs library when extended is true. This allows you to limit the amount of keys that are parsed and can be useful to prevent certain types of abuse. Defaults to 32. It is recommended to keep this value as low as possible.
The middlewares provided by this module create errors using the
[http-errors mo
$ claude mcp add body-parser \
-- python -m otcore.mcp_server <graph>