Parse Data Configuration
The parseData middleware offers full control over how data is parsed, validated, and protected.
It can be configured globally via app.parseData() or per route via parseData(config).
Configuration Structure
parseData({
body: {
type: "application/json", // MIME type filter (string or RegExp)
raw: false, // Store unparsed Buffer in req.rawBody
inflate: true, // Enable gzip/deflate/br decompression
limit: 10 * 1024 * 1024, // Max size (10MB default)
},
parse: {
query: true, // Parse query parameters
params: true, // Parse URL parameters
json: true, // Parse JSON bodies
urlencoded: true, // Parse x-www-form-urlencoded bodies
formData: true, // Parse multipart/form-data bodies
},
security: {
escapeSQL: true, // Enable SQL sanitization
verify: (req, rawBuffer) => {
/* Custom verification logic */
},
},
});⚙️ Body Options
| Option | Type | Default | Description |
|---|---|---|---|
| type | string or RegExp | undefined | Restricts parsing to specific MIME types (e.g. "application/json", /^text\//). |
| raw | boolean | false | If true, stores unparsed body buffer in req.rawBody. |
| inflate | boolean | true | Enables decompression for gzip, deflate, or br-encoded requests. |
| limit | number | 10 * 1024 * 1024 | Defines max request body size (default 10MB). |
🧩 Parse Options
| Option | Type | Default | Description |
|---|---|---|---|
| query | boolean | true | Enables query string parsing. |
| params | boolean | true | Enables URL parameter parsing. |
| json | boolean | true | Enables parsing for application/json requests. |
| urlencoded | boolean | true | Enables parsing for application/x-www-form-urlencoded. |
| formData | boolean | true | Enables parsing for multipart/form-data. |
🔒 Security Options
| Option | Type | Default | Description |
|---|---|---|---|
| escapeSQL | boolean | false | Sanitizes user input to mitigate SQL injection. |
| verify | (req, rawBuffer) => void | undefined | Allows pre-parsing verification (useful for HMAC/webhook validation). |
Example — Per Route Configuration
router.post(
"/secure-upload",
parseData({
body: {
type: "multipart/form-data",
limit: 5 * 1024 * 1024, // 5MB limit
inflate: true,
},
security: {
escapeSQL: true,
verify: (req, raw) => {
const signature = req.headers["x-signature"];
if (!verifySignature(raw, signature))
throw new Error("Invalid signature");
},
},
}),
(req, res) => {
console.log(req.body, req.files);
res.status(200).end();
}
);🧱 Global vs Route-Level Priority
| Level | Behavior |
|---|---|
Global (app.parseData()) | Applies defaults to all routes. |
Route (parseData(config)) | Overrides global settings for the route. |
Example:
app.parseData({ body: { inflate: true } });
router.post(
"/raw",
parseData({ body: { raw: true } }), // Overrides global inflate
(req, res) => {
console.log(req.rawBody.toString("utf-8"));
res.status(200).end();
}
);🧪 Error Handling Summary
| Code | Message | Cause |
|---|---|---|
400 | Invalid Request Data | Malformed JSON or body |
400 | Invalid Compressed Data | Decompression failed |
415 | Unsupported Content-Encoding | Compression disabled |
413 | Payload Too Large | Request exceeds limit |
400 | Invalid Request Verification | security.verify failed |
✅ Best Practices
- Use route-level configuration for endpoints with custom verification or MIME restrictions.- Keep
inflate: truefor clients that send compressed data.- Always applybody.limitto prevent denial-of-service via large payloads.- Usesecurity.verifyonly when raw body access is needed (e.g., webhooks).- CombineescapeSQLwith parameterized queries for maximum protection.