body-parser
Advanced tools
The body-parser package is a Node.js middleware that parses incoming request bodies before your handlers, available under the req.body property. It is commonly used to parse JSON, raw, text, and URL-encoded form data.
JSON Body Parsing
This feature allows the server to accept and parse incoming requests with JSON payloads, making the parsed data available under req.body.
const express = require('express');
const bodyParser = require('body-parser');
const app = express();
app.use(bodyParser.json());
app.post('/json', (req, res) => {
res.send(req.body);
});URL-Encoded Form Data Parsing
This feature is used to parse payloads from forms submitted via HTTP POST. The 'extended' option allows for rich objects and arrays to be encoded into the URL-encoded format, allowing for a JSON-like experience with URL-encoded forms.
const express = require('express');
const bodyParser = require('body-parser');
const app = express();
app.use(bodyParser.urlencoded({ extended: true }));
app.post('/form', (req, res) => {
res.send(req.body);
});Raw Body Parsing
This feature lets the server accept raw data in the request body, useful for parsing bodies that are not text-based, like binary data streams.
const express = require('express');
const bodyParser = require('body-parser');
const app = express();
app.use(bodyParser.raw({ type: 'application/vnd.custom-type' }));
app.post('/raw', (req, res) => {
res.send(req.body);
});Text Body Parsing
This feature allows parsing text bodies, such as plain text or HTML, from the request body.
const express = require('express');
const bodyParser = require('body-parser');
const app = express();
app.use(bodyParser.text({ type: 'text/html' }));
app.post('/text', (req, res) => {
res.send(req.body);
});Multer is a middleware for handling 'multipart/form-data', primarily used for uploading files. It is different from body-parser as it is specialized for file upload scenarios.
Formidable is a Node.js module for parsing form data, especially file uploads. It can handle multiple file uploads and supports file size limits, making it more feature-rich for handling forms than body-parser.
Busboy is a streaming parser for HTML form data for Node.js. It is faster and more efficient for large file uploads compared to body-parser, which does not handle file streams.
Designed for the Koa framework, koa-body is a full-featured body parser middleware. It supports multipart, urlencoded, and json request bodies and provides additional features like file uploads, making it a more comprehensive solution than body-parser for Koa applications.
Node.js body parsing middleware.
Parse incoming request bodies in a middleware before your handlers, available
under the req.body property.
Note As req.body's shape is based on user-controlled input, all
properties and values in this object are untrusted and should be validated
before trusting. For example, req.body.foo.toString() may fail in multiple
ways, for example the foo property may not be there or may not be a string,
and toString may not be a function and instead a string or other user input.
Learn about the anatomy of an HTTP transaction in Node.js.
This does not handle multipart bodies, due to their complex and typically large nature. For multipart bodies, you may be interested in the following modules:
This module provides the following parsers:
Other body parsers you might be interested in:
$ npm install body-parser
var bodyParser = require('body-parser')
The bodyParser object exposes various factories to create middlewares. All
middlewares will populate the req.body property with the parsed body when
the Content-Type request header matches the type option, or an empty
object ({}) if there was no body to parse, the Content-Type was not matched,
or an error occurred.
The various errors returned by this module are described in the errors section.
Returns middleware that only parses json and only looks at requests where
the Content-Type header matches the type option. This parser accepts any
Unicode encoding of the body and supports automatic inflation of gzip and
deflate encodings.
A new body object containing the parsed data is populated on the request
object after the middleware (i.e. req.body).
The json function takes an optional options object that may contain any of
the following keys:
When set to true, then deflated (compressed) bodies will be inflated; when
false, deflated bodies are rejected. Defaults to true.
Controls the maximum request body size. If this is a number, then the value
specifies the number of bytes; if it is a string, the value is passed to the
bytes library for parsing. Defaults
to '100kb'.
The reviver option is passed directly to JSON.parse as the second
argument. You can find more information on this argument
in the MDN documentation about JSON.parse.
When set to true, will only accept arrays and objects; when false will
accept anything JSON.parse accepts. Defaults to true.
The type option is used to determine what media type the middleware will
parse. This option can be a string, array of strings, or a function. If not a
function, type option is passed directly to the
type-is library and this can
be an extension name (like json), a mime type (like application/json), or
a mime type with a wildcard (like */* or */json). If a function, the type
option is called as fn(req) and the request is parsed if it returns a truthy
value. Defaults to application/json.
The verify option, if supplied, is called as verify(req, res, buf, encoding),
where buf is a Buffer of the raw request body and encoding is the
encoding of the request. The parsing can be aborted by throwing an error.
Returns middleware that parses all bodies as a Buffer and only looks at
requests where the Content-Type header matches the type option. This
parser supports automatic inflation of gzip and deflate encodings.
A new body object containing the parsed data is populated on the request
object after the middleware (i.e. req.body). This will be a Buffer object
of the body.
The raw function takes an optional options object that may contain any of
the following keys:
When set to true, then deflated (compressed) bodies will be inflated; when
false, deflated bodies are rejected. Defaults to true.
Controls the maximum request body size. If this is a number, then the value
specifies the number of bytes; if it is a string, the value is passed to the
bytes library for parsing. Defaults
to '100kb'.
The type option is used to determine what media type the middleware will
parse. This option can be a string, array of strings, or a function.
If not a function, type option is passed directly to the
type-is library and this
can be an extension name (like bin), a mime type (like
application/octet-stream), or a mime type with a wildcard (like */* or
application/*). If a function, the type option is called as fn(req)
and the request is parsed if it returns a truthy value. Defaults to
application/octet-stream.
The verify option, if supplied, is called as verify(req, res, buf, encoding),
where buf is a Buffer of the raw request body and encoding is the
encoding of the request. The parsing can be aborted by throwing an error.
Returns middleware that parses all bodies as a string and only looks at
requests where the Content-Type header matches the type option. This
parser supports automatic inflation of gzip and deflate encodings.
A new body string containing the parsed data is populated on the request
object after the middleware (i.e. req.body). This will be a string of the
body.
The text function takes an optional options object that may contain any of
the following keys:
Specify the default character set for the text content if the charset is not
specified in the Content-Type header of the request. Defaults to utf-8.
When set to true, then deflated (compressed) bodies will be inflated; when
false, deflated bodies are rejected. Defaults to true.
Controls the maximum request body size. If this is a number, then the value
specifies the number of bytes; if it is a string, the value is passed to the
bytes library for parsing. Defaults
to '100kb'.
The type option is used to determine what media type the middleware will
parse. This option can be a string, array of strings, or a function. If not
a function, type option is passed directly to the
type-is library and this can
be an extension name (like txt), a mime type (like text/plain), or a mime
type with a wildcard (like */* or text/*). If a function, the type
option is called as fn(req) and the request is parsed if it returns a
truthy value. Defaults to text/plain.
The verify option, if supplied, is called as verify(req, res, buf, encoding),
where buf is a Buffer of the raw request body and encoding is the
encoding of the request. The parsing can be aborted by throwing an error.
Returns middleware that only parses urlencoded bodies and only looks at
requests where the Content-Type header matches the type option. This
parser accepts only UTF-8 encoding of the body and supports automatic
inflation of gzip and deflate encodings.
A new body object containing the parsed data is populated on the request
object after the middleware (i.e. req.body). This object will contain
key-value pairs, where the value can be a string or array (when extended is
false), or any type (when extended is true).
The urlencoded function takes an optional options object that may contain
any of the following keys:
The extended option allows to choose between parsing the URL-encoded data
with the querystring library (when false) or the qs library (when
true). The "extended" syntax allows for rich objects and arrays to be
encoded into the URL-encoded format, allowing for a JSON-like experience
with URL-encoded. For more information, please
see the qs library.
Defaults to true, but using the default has been deprecated. Please
research into the difference between qs and querystring and choose the
appropriate setting.
When set to true, then deflated (compressed) bodies will be inflated; when
false, deflated bodies are rejected. Defaults to true.
Controls the maximum request body size. If this is a number, then the value
specifies the number of bytes; if it is a string, the value is passed to the
bytes library for parsing. Defaults
to '100kb'.
The parameterLimit option controls the maximum number of parameters that
are allowed in the URL-encoded data. If a request contains more parameters
than this value, a 413 will be returned to the client. Defaults to 1000.
The type option is used to determine what media type the middleware will
parse. This option can be a string, array of strings, or a function. If not
a function, type option is passed directly to the
type-is library and this can
be an extension name (like urlencoded), a mime type (like
application/x-www-form-urlencoded), or a mime type with a wildcard (like
*/x-www-form-urlencoded). If a function, the type option is called as
fn(req) and the request is parsed if it returns a truthy value. Defaults
to application/x-www-form-urlencoded.
The verify option, if supplied, is called as verify(req, res, buf, encoding),
where buf is a Buffer of the raw request body and encoding is the
encoding of the request. The parsing can be aborted by throwing an error.
The depth option is used to configure the maximum depth of the qs library when extended is true. This allows you to limit the amount of keys that are parsed and can be useful to prevent certain types of abuse. Defaults to 32. It is recommended to keep this value as low as possible.
The middlewares provided by this module create errors using the
http-errors module. The errors
will typically have a status/statusCode property that contains the suggested
HTTP response code, an expose property to determine if the message property
should be displayed to the client, a type property to determine the type of
error without matching against the message, and a body property containing
the read body, if available.
The following are the common errors created, though any error can come through for various reasons.
This error will occur when the request had a Content-Encoding header that
contained an encoding but the "inflation" option was set to false. The
status property is set to 415, the type property is set to
'encoding.unsupported', and the charset property will be set to the
encoding that is unsupported.
This error will occur when the request contained an entity that could not be
parsed by the middleware. The status property is set to 400, the type
property is set to 'entity.parse.failed', and the body property is set to
the entity value that failed parsing.
This error will occur when the request contained an entity that could not be
failed verification by the defined verify option. The status property is
set to 403, the type property is set to 'entity.verify.failed', and the
body property is set to the entity value that failed verification.
This error will occur when the request is aborted by the client before reading
the body has finished. The received property will be set to the number of
bytes received before the request was aborted and the expected property is
set to the number of expected bytes. The status property is set to 400
and type property is set to 'request.aborted'.
This error will occur when the request body's size is larger than the "limit"
option. The limit property will be set to the byte limit and the length
property will be set to the request body's length. The status property is
set to 413 and the type property is set to 'entity.too.large'.
This error will occur when the request's length did not match the length from
the Content-Length header. This typically occurs when the request is malformed,
typically when the Content-Length header was calculated based on characters
instead of bytes. The status property is set to 400 and the type property
is set to 'request.size.invalid'.
This error will occur when something called the req.setEncoding method prior
to this middleware. This module operates directly on bytes only and you cannot
call req.setEncoding when using this module. The status property is set to
500 and the type property is set to 'stream.encoding.set'.
This error will occur when the request is no longer readable when this middleware
attempts to read it. This typically means something other than a middleware from
this module read the request body already and the middleware was also configured to
read the same request. The status property is set to 500 and the type
property is set to 'stream.not.readable'.
This error will occur when the content of the request exceeds the configured
parameterLimit for the urlencoded parser. The status property is set to
413 and the type property is set to 'parameters.too.many'.
This error will occur when the request had a charset parameter in the
Content-Type header, but the iconv-lite module does not support it OR the
parser does not support it. The charset is contained in the message as well
as in the charset property. The status property is set to 415, the
type property is set to 'charset.unsupported', and the charset property
is set to the charset that is unsupported.
This error will occur when the request had a Content-Encoding header that
contained an unsupported encoding. The encoding is contained in the message
as well as in the encoding property. The status property is set to 415,
the type property is set to 'encoding.unsupported', and the encoding
property is set to the encoding that is unsupported.
This error occurs when using bodyParser.urlencoded with the extended property set to true and the input exceeds the configured depth option. The status property is set to 400. It is recommended to review the depth option and evaluate if it requires a higher value. When the depth option is set to 32 (default value), the error will not be thrown.
This example demonstrates adding a generic JSON and URL-encoded parser as a top-level middleware, which will parse the bodies of all incoming requests. This is the simplest setup.
var express = require('express')
var bodyParser = require('body-parser')
var app = express()
// parse application/x-www-form-urlencoded
app.use(bodyParser.urlencoded({ extended: false }))
// parse application/json
app.use(bodyParser.json())
app.use(function (req, res) {
res.setHeader('Content-Type', 'text/plain')
res.write('you posted:\n')
res.end(JSON.stringify(req.body, null, 2))
})
This example demonstrates adding body parsers specifically to the routes that need them. In general, this is the most recommended way to use body-parser with Express.
var express = require('express')
var bodyParser = require('body-parser')
var app = express()
// create application/json parser
var jsonParser = bodyParser.json()
// create application/x-www-form-urlencoded parser
var urlencodedParser = bodyParser.urlencoded({ extended: false })
// POST /login gets urlencoded bodies
app.post('/login', urlencodedParser, function (req, res) {
res.send('welcome, ' + req.body.username)
})
// POST /api/users gets JSON bodies
app.post('/api/users', jsonParser, function (req, res) {
// create user in req.body
})
All the parsers accept a type option which allows you to change the
Content-Type that the middleware will parse.
var express = require('express')
var bodyParser = require('body-parser')
var app = express()
// parse various different custom JSON types as JSON
app.use(bodyParser.json({ type: 'application/*+json' }))
// parse some custom thing into a Buffer
app.use(bodyParser.raw({ type: 'application/vnd.custom-type' }))
// parse an HTML body into a string
app.use(bodyParser.text({ type: 'text/html' }))
FAQs
Node.js body parsing middleware
The npm package body-parser receives a total of 23,405,836 weekly downloads. As such, body-parser popularity was classified as popular.
We found that body-parser demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
PyPI now supports digital attestations, enhancing security and trust by allowing package maintainers to verify the authenticity of Python packages.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.