Why multipart/form-data Uploads Fail

Quick Answer

multipart/form-data uploads fail when the boundary is missing, field names do not match the server parser, the client manually sets the wrong Content-Type, the file is too large, or middleware reads the body before the upload handler. Let the browser set the multipart Content-Type when using FormData.

Example Scenario

A file upload works in one client but fails from the browser. The server says no file was provided, or the request body is empty. The frontend code creates FormData correctly but also sets Content-Type: multipart/form-data manually, removing the boundary the server needs to parse the parts.

Step-by-Step Explanation

1. Inspect the final request headers and confirm the multipart boundary exists.
2. Do not manually set Content-Type when sending browser FormData.
3. Confirm file field names match the server parser configuration.
4. Check size limits and allowed MIME types.
5. Verify middleware order so another parser does not consume the body first.
6. Compare a working curl upload with the failing browser request.

The Boundary Is Not Optional

Multipart bodies are separated into parts using a boundary string. The Content-Type header must include that boundary so the server can split the body into fields and files. When the browser builds FormData, it also knows how to generate and attach the correct boundary.

A common bug is manually setting Content-Type: multipart/form-data. That looks correct to a person, but it often omits the boundary parameter. The server sees multipart data without the separator metadata and cannot parse the file.

When using fetch with FormData in the browser, let the browser set Content-Type. Set custom headers only when you know they do not replace the generated multipart header.

Field Names Are Part of the Contract

The server upload handler usually expects a field name such as file, avatar, attachment or documents. If the client appends the file under a different name, the body may contain the file but the handler still reports it missing.

This is especially common when frontend code uses input.name, while backend code expects a hard-coded field. Another client or API example may use a different name and still work because that route is configured differently.

Inspect the actual multipart part names in a working request. Then make the browser request match that contract exactly.

File Metadata Can Affect Validation

Upload handlers may validate filename, MIME type, extension, size and sometimes image dimensions. The browser supplies a file type when available, but it can be empty or inaccurate. The server should validate content safely rather than trusting only the client metadata.

A file can fail because its MIME type is application/octet-stream even though the extension looks correct. Another file can pass the browser picker but fail server-side size or dimension checks.

Good error responses identify which validation failed. A generic no file uploaded message sends debugging in the wrong direction when the file was present but rejected.

Middleware Order Matters

Multipart parsing is usually handled by specialized middleware. If a JSON body parser, logging middleware or proxy consumes the stream first, the upload parser may receive an empty body. Request bodies are streams; they cannot always be read twice.

Check route-specific middleware order. Upload endpoints often need different handling than JSON API endpoints. Reusing the same global parser chain for every route can create subtle failures.

If the route is deployed through serverless or edge infrastructure, confirm the platform supports the upload size and streaming behavior you expect.

Compare Browser and Curl Requests

A working curl command is useful because it shows the field names and file path explicitly. A failing browser request is useful because it shows the final headers, credentials and CORS behavior. Compare both rather than assuming they are equivalent.

If curl works but the browser fails, check CORS, credentials, FormData construction and manually set headers. If both fail, check server parser configuration and route limits.

Save the smallest upload that reproduces the issue. A tiny text file is easier to inspect than a private multi-megabyte document.

Production Checks

Set explicit upload size limits and return structured errors. Log field name, file count, reported MIME type, byte size and rejection reason without logging file contents.

Test empty file, wrong field name, too-large file, wrong MIME type and valid upload. These cases catch most regressions around multipart parsing.

If uploads go through direct storage, separate storage upload success from application metadata save success. A file can reach storage while the API record still fails validation.

Add browser tests for the exact FormData construction path, not only server parser tests. A server test can prove multipart parsing works while the browser client still sends the wrong field name or overrides the boundary header.

For support workflows, keep a tiny safe fixture file such as a one-line text file and one known-invalid file type. These fixtures make upload bugs reproducible without moving private user documents around.

When upload failures are intermittent, check whether the client sends the same request every time. Drag-and-drop, mobile file pickers and camera capture flows can produce different filenames, MIME types and file sizes even when users think they selected the same image.

Also compare authenticated and anonymous upload paths. Some applications upload to temporary storage before login and to account storage after login. The field names may match while limits, credentials and storage destinations differ.

For large uploads, progress events and cancellation behavior become part of the user experience. A backend parser may be correct, but users still see failure if the UI cannot distinguish slow upload, canceled upload and server rejection.

Check filenames with spaces, non-ASCII characters and duplicate names. Storage systems may normalize names differently from the browser, and downstream processors may reject characters the upload endpoint accepted. Logging a safe stored object key next to the original filename helps connect upload success with later processing failures.

If the upload endpoint also accepts metadata fields, validate the metadata and file independently. A malformed JSON-like metadata field should not be reported as missing file, and a rejected file type should not be reported as a metadata validation error. Clear separation makes support cases much easier.

For resumable or chunked uploads, log chunk number, upload id and final assembly status separately. A chunk can upload correctly while final assembly fails because a chunk is missing, duplicated or attached to the wrong session. Treat the upload lifecycle as several API steps, not one request.

If antivirus scanning or media processing runs after upload, make that state visible to the client. Otherwise users can see upload success followed by a delayed failure that looks unrelated to multipart parsing.

Code Examples

const form = new FormData();
form.append('avatar', file);
form.append('displayName', 'Ada');

await fetch('/api/avatar', { method: 'POST', body: form });

await fetch('/api/avatar', {
  method: 'POST',
  headers: { 'Content-Type': 'multipart/form-data' }, // fragile
  body: form
});

console.log({
  field: 'avatar',
  filename: file.name,
  type: file.type || 'unknown',
  size: file.size
});

Common Mistakes

• Setting multipart Content-Type manually and losing the boundary.
• Using a field name the server does not parse.
• Trusting browser-provided MIME type as the only validation.
• Running JSON body middleware before upload parsing.
• Debugging with large private files instead of a minimal test file.

FAQ

Related Tools

Related References

Related Workflows