The post limit settings on one of our production servers are postSizeLimit=100 and postParametersLimit=1500. Both seem pretty high to me on a gut level, but there are occasional "POST parameters exceeds the maximum limit" errors recorded by FusionReactor. What do folks think are reasonable limits for those? I'd guess super huge limits could crash the server with out of memory errors, but it's hard to quantify any of that, especially the max number of parameters. Thoughts?

IMO: Set them as low as possible while still allowing all legitimate requests. Those limits are going to vary widely by the application, so I don't know that anyone is really going to be able to provide meaningful answers for your applications. We have one application which has to accept relatively large upload files for processing so that limit is set at 20MB and it has a large grid-based form that requires post parameters limit of 1,560 but those figures are very specific to this one app. What we can't have is requests failing for exceeding those limits.

Agree, the downside of too-low limits is requests failing for what to the user is unknown reasons. They don't even get logged as errors by this app, I think because the request gets rejected before it even hits CF. It's only FR that knows. Se what's the downside of to HIGH limits? DOS attacks overwhelming the server?

Yes, presumably.

Are the occasional errors you see with FusionReactor for legitimate requests, or are those from bad actors who are scanning your system for vulnerabilities?

almost certainly legit requests