Skip to content
DevLab

How to Correctly Test File Upload Limits

Category: Testing Techniques
This article is currently available in Japanese only. We are working on translations.

When developing a file upload feature for a web application, are you confident just because you set the limit to 10 MB? In reality, testing upload limits has many pitfalls, and failure to validate correctly can result in unexpected errors in production. This article explains how to accurately test upload limits using boundary value testing principles.

Three boundary test cases Boundary tests for 10MB limit 10 MB boundary 10MB - 1 byte expect success 10MB exact impl. dependent 10MB + 1 byte expect 413 reject 0 Verify server side including multipart overhead
Fig 1: Layout of three boundary value test cases

What is boundary value testing

<strong>Boundary Value Testing</strong> is one of the fundamental techniques in software testing. It is based on the empirical observation that bugs are more likely to occur near the boundaries of input values—at points such as "exactly at the limit," "one byte before the limit," and "one byte over the limit."

For file upload limit testing, you should prepare at least the following 3 test cases.

  • <strong>File exactly at the limit</strong> — Verify that the upload succeeds
  • <strong>File 1 byte smaller than the limit</strong> — Verify that it definitely succeeds
  • <strong>File 1 byte larger than the limit</strong> — Verify that it is correctly rejected

Be Careful Not to Confuse MB and MiB

The most common mistake in upload limit testing is confusing MB (megabytes) with MiB (mebibytes).

  • <strong>1 MB</strong> = 1,000,000 bytes (decimal-based, SI unit)
  • <strong>1 MiB</strong> = 1,048,576 bytes (binary-based, IEC unit)

This difference is approximately 4.86%, with a 48,576-byte gap between 10MB and 10MiB. It is crucial to accurately understand which unit your server-side framework or cloud service uses. For example, when you specify <code>upload_max_filesize</code> as "10M" in PHP, it is interpreted as 10MiB (10,485,760 bytes). However, some CDNs and API gateways may treat it as 10MB (10,000,000 bytes).

Overhead of multipart/form-data

The <code>multipart/form-data</code> format used in file uploads includes overhead such as boundary strings, Content-Disposition headers, and line breaks in addition to the file body.

When the server's size limit check is performed on the entire request body, even if the file itself is below the limit, including overhead may cause it to exceed. Since Nginx's <code>client_max_body_size</code> restricts the size of the entire request body, caution is needed on this point.

# Nginx の設定例
client_max_body_size 10m;  # リクエストボディ全体の上限(MiB単位)

Double-check between front-end and back-end

During testing, verify that size checks are performed on both the frontend (JavaScript) and backend (server). If checking is only done on the frontend, it can be easily bypassed using developer tools or the curl command.

// フロントエンドでのサイズチェック例
const MAX_SIZE = 10 * 1024 * 1024; // 10 MiB
fileInput.addEventListener('change', (e) => {
    const file = e.target.files[0];
    if (file.size > MAX_SIZE) {
        alert('ファイルサイズが上限を超えています');
        e.target.value = '';
    }
});

Error message and UX confirmation

In boundary value testing, check not only whether the request succeeds or fails, but also the following points.

  • Is a clear error message displayed when the limit is exceeded?
  • Is the HTTP Status Code Appropriate (e.g., 413 Payload Too Large)
  • Does the progress bar work correctly during large file uploads?
  • Whether timeout handling is implemented correctly

How to obtain test files

Accurate boundary value testing requires test files with exact byte-level sizes. DevLab provides boundary value test files tailored to major upload limits.

  • <a href="/ja/files/threshold/">Boundary Value Test File List</a> — Files matched to major service limits like Gmail (25MB), Discord (25MB), WordPress (10MB)
  • <a href="/ja/files/threshold/10mb/">10MB Threshold Test Set</a> — Three-file set covering exact, just-before, and just-after scenarios
  • <a href="/ja/files/threshold/25mb/">25MB Threshold Test Set</a> — For email attachments and chat tools

All files include MD5, SHA-1, and SHA-256 hash values, which you can use to verify integrity after download.

Summary

Testing file upload limits requires more than just "throwing a large file at it." You should understand the difference between MB and MiB, consider multipart overhead, and validate boundary values with byte-precise test files. By leveraging DevLab's boundary value test files, you can implement these tests efficiently.

Test files for this article

  • → <a href="/ja/files/threshold/" class="text-primary-600 dark:text-primary-400 hover:underline">Threshold Test Files (9.9MB / 10MB / 10.1MB)</a>
  • → <a href="/ja/files/images/png/" class="text-primary-600 dark:text-primary-400 hover:underline">PNG Image Test Files List</a>

Related articles

  • → <a href="/ja/blog/mb-vs-mib-file-size/" class="text-primary-600 dark:text-primary-400 hover:underline">MB and MiB Are Different! The Pitfalls of File Size Units</a>
  • → <a href="/ja/blog/multipart-form-data-overhead/" class="text-primary-600 dark:text-primary-400 hover:underline">Calculating multipart/form-data Overhead Accurately</a>
  • → <a href="/ja/blog/file-validation-checklist/" class="text-primary-600 dark:text-primary-400 hover:underline">Web Form File Validation Implementation Checklist</a>

🛠️ Related DevLab tools

バイト単位コンバータ

ハッシュ生成

curl ⇔ fetch 変換

📝 Related articles

Nginx の client_max_body_size 設定

413 Request Entity Too Large の解決

multipart/form-data のオーバーヘッド

📚 Reference

Upload Limits Across Major Services
🛠️ All tools 🔍 Diagnostics 📝 All blog posts 📚 Reference