diff --git a/src/server.ts b/src/server.ts
index 23ed002b..673acbb3 100644
--- a/src/server.ts
+++ b/src/server.ts
@@ -43,8 +43,9 @@ export async function startServer(): Promise<void> {
 export async function startHttpServer(host: string, port: number, mcpServer: McpServer): Promise<void> {
   const app = express();
 
-  // Parse JSON requests for the Streamable HTTP endpoint only, will break SSE endpoint
-  app.use("/mcp", express.json());
+  // Parse JSON requests for the Streamable HTTP endpoint only (this will break SSE endpoints),
+  // and enforce an explicit body size limit to reduce DoS risk.
+  app.use("/mcp", express.json({ limit: "1mb" }));
 
   // Modern Streamable HTTP endpoint
   app.post("/mcp", async (req, res) => {