diff --git a/rest/handler/cryptionhandler.go b/rest/handler/cryptionhandler.go
index f5d4e48d..93bbd889 100644
--- a/rest/handler/cryptionhandler.go
+++ b/rest/handler/cryptionhandler.go
@@ -3,6 +3,7 @@ package handler
 import (
 	"bytes"
 	"encoding/base64"
+	"errors"
 	"io"
 	"io/ioutil"
 	"net/http"
@@ -13,6 +14,8 @@ import (
 
 const maxBytes = 1 << 20 // 1 MiB
 
+var errContentLengthExceeded = errors.New("content length exceeded")
+
 func CryptionHandler(key []byte) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -35,6 +38,10 @@ func CryptionHandler(key []byte) func(http.Handler) http.Handler {
 }
 
 func decryptBody(key []byte, r *http.Request) error {
+	if r.ContentLength > maxBytes {
+		return errContentLengthExceeded
+	}
+
 	content, err := ioutil.ReadAll(io.LimitReader(r.Body, maxBytes))
 	if err != nil {
 		return err