feat: decrease the default value of maxHttpBufferSize

This change reduces the default value from 100 mb to a more sane 1 mb.

This helps protect the server against denial of service attacks by
malicious clients sending huge amounts of data.

Backported from 734f9d1

Author: darrachequesne

Diff for: README.md

@@ -227,7 +227,7 @@ to a single process.
       - `upgradeTimeout` (`Number`): how many ms before an uncompleted transport upgrade is cancelled (`10000`)
       - `maxHttpBufferSize` (`Number`): how many bytes or characters a message
         can be, before closing the session (to avoid DoS). Default
-        value is `10E7`.
+        value is `1e6` (1MB).
       - `allowRequest` (`Function`): A function that receives a given handshake
         or upgrade request as its first parameter, and can decide whether to
         continue or not. The second argument is a function that needs to be

Diff for: lib/server.js

@@ -40,7 +40,7 @@ function Server (opts) {
   this.pingTimeout = opts.pingTimeout || 5000;
   this.pingInterval = opts.pingInterval || 25000;
   this.upgradeTimeout = opts.upgradeTimeout || 10000;
-  this.maxHttpBufferSize = opts.maxHttpBufferSize || 10E7;
+  this.maxHttpBufferSize = opts.maxHttpBufferSize || 1e6;
   this.transports = opts.transports || Object.keys(transports);
   this.allowUpgrades = false !== opts.allowUpgrades;
   this.allowRequest = opts.allowRequest;