LaWebcapsule · ldechamps · Nov 21, 2025 · Nov 25, 2025 · Nov 26, 2025 · Dec 3, 2025
diff --git a/api/src/env.ts b/api/src/env.ts
@@ -30,6 +30,8 @@ const allowedEnvironmentVars = [
 	'MAX_BATCH_MUTATION',
 	'LOGGER_.+',
 	'ROBOTS_TXT',
+	'MAX_RELATIONAL_DEPTH',
+	'MAX_ITEMS_PER_QUERY',
 	// server
 	'SERVER_.+',
 	// database
@@ -211,6 +213,7 @@ const defaults: Record<string, any> = {
 	PUBLIC_URL: '/',
 	MAX_PAYLOAD_SIZE: '1mb',
 	MAX_RELATIONAL_DEPTH: 10,
+	MAX_ITEMS_PER_QUERY: 1000,
 	MAX_BATCH_MUTATION: Infinity,
 	ROBOTS_TXT: 'User-agent: *\nDisallow: /',
 

diff --git a/api/src/utils/sanitize-query.ts b/api/src/utils/sanitize-query.ts
@@ -1,16 +1,25 @@
 import type { Accountability, Aggregate, Filter, Query } from '@wbce-d9/types';
 import { parseFilter, parseJSON } from '@wbce-d9/utils';
 import { flatten, get, isPlainObject, merge, set } from 'lodash-es';
+import env from '../env.js';
 import logger from '../logger.js';
 import { Meta } from '../types/index.js';
 
 export function sanitizeQuery(rawQuery: Record<string, any>, accountability?: Accountability | null): Query {
 	const query: Query = {};
 
 	if (rawQuery['limit'] !== undefined) {
-		const limit = sanitizeLimit(rawQuery['limit']);
+		let limit = sanitizeLimit(rawQuery['limit']);
 
 		if (typeof limit === 'number') {
+			const maxItemsPerQuery = Number(env['MAX_ITEMS_PER_QUERY']);
+
+			if (maxItemsPerQuery !== -1) {
+				if (limit === -1) {
+					limit = maxItemsPerQuery;
+				}
+			}
+
 			query.limit = limit;
 		}
 	}

diff --git a/api/src/utils/validate-query.ts b/api/src/utils/validate-query.ts
@@ -33,6 +33,10 @@ export function validateQuery(query: Query): Query {
 		validateAlias(query.alias);
 	}
 
+	if (query.limit) {
+		validateLimit(query.limit);
+	}
+
 	validateRelationalDepth(query);
 
 	if (error) {
@@ -232,3 +236,13 @@ function validateRelationalDepth(query: Query) {
 		}
 	}
 }
+
+function validateLimit(limit: any) {
+	const maxItemsPerQuery = Number(env['MAX_ITEMS_PER_QUERY']) || 1000;
+
+	if (limit !== -1 && maxItemsPerQuery !== -1) {
+		if (limit > maxItemsPerQuery) {
+			throw new InvalidQueryException(`"Limit" can't exceed ${maxItemsPerQuery}`);
+		}
+	}
+}
diff --git a/docs/self-hosted/config-options.md b/docs/self-hosted/config-options.md
@@ -205,6 +205,7 @@ prefixing the value with `{type}:`. The following types are available:
 | `GRAPHQL_INTROSPECTION`    | Whether or not to enable GraphQL Introspection                                                             | `true`                       |
 | `MAX_BATCH_MUTATION`       | The maximum number of items for batch mutations when creating, updating and deleting.                      | `Infinity`                   |
 | `MAX_RELATIONAL_DEPTH`     | The maximum depth when filtering / querying relational fields, with a minimum value of `2`.                | `10`                         |
+| `MAX_ITEMS_PER_QUERY`     | The maximum items when allowed querying relational fields. Set it to `-1` to remove the limitation.                | `1000`                         |
 | `ROBOTS_TXT`               | What the `/robots.txt` endpoint should return                                                              | `User-agent: *\nDisallow: /` |
 | `X_POWERED_BY_ENABLED`     | Whether the response should return the X-Powered-By Directus Header                                        | `true`                       |
 

diff --git a/tests/blackbox/common/config.ts b/tests/blackbox/common/config.ts
@@ -78,6 +78,7 @@ const directusConfig = {
 	SERVE_APP: 'false',
 	DB_EXCLUDE_TABLES: 'knex_migrations,knex_migrations_lock,spatial_ref_sys,sysdiagrams',
 	MAX_RELATIONAL_DEPTH: '5',
+	MAX_ITEMS_PER_QUERY: '1000',
 	MAX_PAYLOAD_SIZE: '10mb',
 	EXTENSIONS_PATH: './extensions',
 	ASSETS_TRANSFORM_MAX_CONCURRENT: '2',