It should be noted that Tremolo does not validate HTTP requests by default. Tremolo is a microframework, it tends to accept data and parse headers as is.

Some objects like request.method may contain anything.

This is a design decision that emphasizes flexibility. Not a weakness.

Validation must be done on your side. For example by using the Middleware.

Deploying Tremolo behind a CDN like Cloudflare, or using a reverse proxy / TLS termination proxy like Nginx is preferred. It can help mitigate malicious header attacks.

Avoid high memory consumptions

You should be careful when using request.body(). It’s not memory wise. Consider using request.read() instead. Otherwise, you have to set client_max_body_size to a lower best value.

When using request.form(), you can limit how much data that allowed to enter internal form parser. You can set it with the limit argument.

If you sure / only need short amount of form data, eg. under 64KiB, you can do the following:

form_data = await request.form(limit=65536)

Note that if the coming request body higher than the limit, it will raise ValueError. The default limit is 8MiB.

By lowering its value will help mitigating DoS attacks.