Depends on the limit really, if the limit is 32 characters or something like that, definite red flag.
If the limit is something like 250 or more characters, I’m more inclined to believe it’s basic protection from all the things that can go wrong when someone repeatedly POSTs whatever the maximum amount of garbage that your server’s request limit allows, at an API that performs cryptographic work.
Depends on the limit really, if the limit is 32 characters or something like that, definite red flag.
If the limit is something like 250 or more characters, I’m more inclined to believe it’s basic protection from all the things that can go wrong when someone repeatedly POSTs whatever the maximum amount of garbage that your server’s request limit allows, at an API that performs cryptographic work.