diff --git a/cmd/signature-v4-utils.go b/cmd/signature-v4-utils.go
index 01b12dff2..d0e58ed03 100644
--- a/cmd/signature-v4-utils.go
+++ b/cmd/signature-v4-utils.go
@@ -21,6 +21,7 @@ import (
 	"context"
 	"crypto/hmac"
 	"encoding/hex"
+	"io"
 	"io/ioutil"
 	"net/http"
 	"strconv"
@@ -61,7 +62,7 @@ func skipContentSha256Cksum(r *http.Request) bool {
 // Returns SHA256 for calculating canonical-request.
 func getContentSha256Cksum(r *http.Request, stype serviceType) string {
 	if stype == serviceSTS {
-		payload, err := ioutil.ReadAll(r.Body)
+		payload, err := ioutil.ReadAll(io.LimitReader(r.Body, stsRequestBodyLimit))
 		if err != nil {
 			logger.CriticalIf(context.Background(), err)
 		}
diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go
index ad997e46b..2a7fc5261 100644
--- a/cmd/sts-handlers.go
+++ b/cmd/sts-handlers.go
@@ -40,6 +40,8 @@ const (
 	clientGrants = "AssumeRoleWithClientGrants"
 	webIdentity  = "AssumeRoleWithWebIdentity"
 	assumeRole   = "AssumeRole"
+
+	stsRequestBodyLimit = 10 * (1 << 20) // 10 MiB
 )
 
 // stsAPIHandlers implements and provides http handlers for AWS STS API.