diff --git a/pdp/handlers_add.go b/pdp/handlers_add.go
index 7d964b381..256c22344 100644
--- a/pdp/handlers_add.go
+++ b/pdp/handlers_add.go
@@ -329,6 +329,11 @@ func (p *PDPService) handleAddPieceToDataSet(w http.ResponseWriter, r *http.Requ
 		http.Error(w, "Invalid extraData format (must be hex encoded): "+err.Error(), http.StatusBadRequest)
 		return
 	}
+	if len(extraDataBytes) > MaxAddPiecesExtraDataSize {
+		errMsg := fmt.Sprintf("extraData size (%d bytes) exceeds the maximum allowed limit for AddPieces (%d bytes)", len(extraDataBytes), MaxAddPiecesExtraDataSize)
+		http.Error(w, errMsg, http.StatusBadRequest)
+		return
+	}
 
 	// Step 4: Prepare piece information
 	pieceDataArray, subPieceInfoMap, subPieceCidList, err := p.transformAddPiecesRequest(ctx, serviceLabel, payload.Pieces)
diff --git a/pdp/handlers_create.go b/pdp/handlers_create.go
index f7200d45e..7a22c293a 100644
--- a/pdp/handlers_create.go
+++ b/pdp/handlers_create.go
@@ -3,6 +3,7 @@ package pdp
 import (
 	"encoding/hex"
 	"encoding/json"
+	"fmt"
 	"io"
 	"math/big"
 	"net/http"
@@ -17,6 +18,16 @@ import (
 	"github.com/filecoin-project/curio/pdp/contract"
 )
 
+const (
+	// MaxCreateDataSetExtraDataSize defines the service-level limit for extraData in CreateDataSet calls (4KB).
+	// Recommended in FilOzone/pdp#224.
+	MaxCreateDataSetExtraDataSize = 4096
+
+	// MaxAddPiecesExtraDataSize defines the service-level limit for extraData in AddPieces calls (8KB).
+	// Recommended in FilOzone/pdp#224.
+	MaxAddPiecesExtraDataSize = 8192
+)
+
 var logCreate = logger.Logger("pdp/create")
 
 // handleCreateDataSetAndAddPieces handles the creation of a new data set and adding pieces at the same time
@@ -64,6 +75,11 @@ func (p *PDPService) handleCreateDataSetAndAddPieces(w http.ResponseWriter, r *h
 		http.Error(w, "Invalid extraData format (must be hex encoded)", http.StatusBadRequest)
 		return
 	}
+	if len(extraDataBytes) > MaxAddPiecesExtraDataSize {
+		errMsg := fmt.Sprintf("extraData size (%d bytes) exceeds the maximum allowed limit for CreateDataSetAndAddPieces (%d bytes)", len(extraDataBytes), MaxAddPiecesExtraDataSize)
+		http.Error(w, errMsg, http.StatusBadRequest)
+		return
+	}
 
 	// Check if indexing is needed by decoding the extraData
 	mustIndex, err := CheckIfIndexingNeededFromExtraData(extraDataBytes)
@@ -224,6 +240,11 @@ func (p *PDPService) handleCreateDataSet(w http.ResponseWriter, r *http.Request)
 		http.Error(w, "Invalid extraData format (must be hex encoded): "+err.Error(), http.StatusBadRequest)
 		return
 	}
+	if len(extraDataBytes) > MaxCreateDataSetExtraDataSize {
+		errMsg := fmt.Sprintf("extraData size (%d bytes) exceeds the maximum allowed limit for CreateDataSet (%d bytes)", len(extraDataBytes), MaxCreateDataSetExtraDataSize)
+		http.Error(w, errMsg, http.StatusBadRequest)
+		return
+	}
 
 	// Step 3: Get the sender address from 'eth_keys' table where role = 'pdp' limit 1
 	fromAddress, err := p.getSenderAddress(ctx)