I'm making a webapp that uses WebSockets for communication between the browser and node server.
If you open up the debug console (F12), you can access the socket instance and write to it.
For example, socket.send('packetname', 'data')
What's stopping someone from opening the console and writing something like this?
socket.send(new Array(99999));
All this data being sent to the server can be overwhelming and by the time it gets there, the bandwidth is already used and it's already been processed. Of course there is validation but at that point it's too late and the resources have already been spent processing it.
You also can't just check the length of the array because someone could send an array where the first element is a huge array instead, or anything really. I don't think there's a way to calculate byte size so I guess the best option is stringifying the data to check its size (which is extremely slow)?
All my packets are very small. I am looking for a way of preventing packets over a certain size from being sent to the server. Is this possible?
Unless you have full control over the client (which you don't) you cannot hinder the client to send arbitrary large data to your system. The client would not even need to use a browser so any restrictions inside the browser will not work.
You just have to deal with it, like with disconnecting the client immediately if you get an unexpected amount of data and maybe blacklisting the origin so that the next attack attempt will be stopped earlier.