Using Spring Webflux, I need to limit the payload size of incoming HTTP requests (e.g. to say 5MB). Is this something configurable out-of-the-box? If not, which APIs can we use to implement this behavior (e.g. return a 413 if the payload is too big).

I guess you want to do this to prevent Denial Of Service attacks by malicious or misbehaving clients.

The usual recommendation is to not directly connect HTTP application servers to the Internet, but instead via an HTTP reverse proxy server (such as a suitably configured Apache HTTPD or nginx). These proxy servers provide means for blocking large requests. They provide other facilities for blocking or mitigating bad clients.

You should therefore consider whether it would be easier not to implement this functionality in you application, and instead rely on the proxy doing it for you.