apollographql · carodewig · Apr 9, 2026 · Apr 9, 2026 · Apr 9, 2026 · Apr 9, 2026
diff --git a/.changesets/feat_caroline_subgraph_connector_response_size_limits.md b/.changesets/feat_caroline_subgraph_connector_response_size_limits.md
@@ -0,0 +1,35 @@
+### Add per-subgraph and per-connector HTTP response size limits ([PR #9160](https://github.com/apollographql/router/pull/9160))
+
+The router can now cap the number of bytes it reads from subgraph and connector HTTP response bodies, protecting against out-of-memory conditions when a downstream service returns an unexpectedly large payload.
+
+The limit is enforced as the response body streams in — the router stops reading and returns a GraphQL error as soon as the limit is exceeded, without buffering the full body first.
+
+Configure a global default and optional per-subgraph or per-source overrides:
+
+```yaml
+limits:
+  subgraph:
+    all:
+      http_max_response_bytes: 10485760 # 10 MB for all subgraphs
+    subgraphs:
+      products:
+        http_max_response_bytes: 20971520 # 20 MB override for 'products'
+
+  connector:
+    all:
+      http_max_response_bytes: 5242880 # 5 MB for all connector sources
+    sources:
+      products.rest:
+        http_max_response_bytes: 10485760 # 10 MB override for 'products.rest'
+```
+
+There is no default limit; responses are unrestricted unless you configure this option.
+
+When a response is aborted due to the limit, the router:
+- Returns a GraphQL error to the client with extension code `SUBREQUEST_HTTP_ERROR`
+- Increments the `apollo.router.limits.subgraph_response_size.exceeded` or `apollo.router.limits.connector_response_size.exceeded` counter
+- Records `apollo.subgraph.response.aborted: "response_size_limit"` or `apollo.connector.response.aborted: "response_size_limit"` on the relevant span
+
+**Configuration migration**: Existing `limits` fields (previously at the top level of `limits`) are now nested under `limits.router`. A configuration migration is included that updates your config file automatically.
+
+By [@carodewig](https://github.com/carodewig) in https://github.com/apollographql/router/pull/9160
@@ -1,7 +1,8 @@
 supergraph:
   listen: 127.0.0.1:44167
 limits:
-  parser_max_recursion: ${env.PARSER_MAX_RECURSION}
+  router:
+    parser_max_recursion: ${env.PARSER_MAX_RECURSION}
 include_subgraph_errors:
   all: true
 headers:

@@ -315,9 +315,9 @@ pub(super) fn serve_router_on_listen_addr(
     configuration: Arc<Configuration>,
     all_connections_stopped_sender: mpsc::Sender<()>,
 ) -> (impl Future<Output = Listener>, oneshot::Sender<()>) {
-    let opt_max_http1_headers = configuration.limits.http1_max_request_headers;
-    let opt_max_http1_buf_size = configuration.limits.http1_max_request_buf_size;
-    let opt_max_http2_headers_list_bytes = configuration.limits.http2_max_headers_list_bytes;
+    let opt_max_http1_headers = configuration.limits.router.http1_max_request_headers;
+    let opt_max_http1_buf_size = configuration.limits.router.http1_max_request_buf_size;
+    let opt_max_http2_headers_list_bytes = configuration.limits.router.http2_max_headers_list_bytes;
     let connection_shutdown_timeout = configuration.supergraph.connection_shutdown_timeout;
     let header_read_timeout = configuration.server.http.header_read_timeout;
     let tls_handshake_timeout = configuration.server.http.tls_handshake_timeout;

@@ -249,7 +249,7 @@ impl InstrumentData {
 
         populate_config_instrument!(
             apollo.router.config.limits,
-            "$.limits",
+            "$.limits.router",
             opt.operation.max_depth,
             "$[?(@.max_depth)]",
             opt.operation.max_aliases,

@@ -0,0 +1,40 @@
+description: >
+  limits config restructured: existing fields moved under `limits.router`,
+  new `limits.subgraph` section added for per-subgraph response size limits.
+actions:
+  - type: move
+    from: limits.http_max_request_bytes
+    to: limits.router.http_max_request_bytes
+  - type: move
+    from: limits.max_depth
+    to: limits.router.max_depth
+  - type: move
+    from: limits.max_height
+    to: limits.router.max_height
+  - type: move
+    from: limits.max_root_fields
+    to: limits.router.max_root_fields
+  - type: move
+    from: limits.max_aliases
+    to: limits.router.max_aliases
+  - type: move
+    from: limits.warn_only
+    to: limits.router.warn_only
+  - type: move
+    from: limits.parser_max_recursion
+    to: limits.router.parser_max_recursion
+  - type: move
+    from: limits.parser_max_tokens
+    to: limits.router.parser_max_tokens
+  - type: move
+    from: limits.http1_max_request_headers
+    to: limits.router.http1_max_request_headers
+  - type: move
+    from: limits.http1_max_request_buf_size
+    to: limits.router.http1_max_request_buf_size
+  - type: move
+    from: limits.http2_max_headers_list_bytes
+    to: limits.router.http2_max_headers_list_bytes
+  - type: move
+    from: limits.introspection_max_depth
+    to: limits.router.introspection_max_depth