diff --git a/index.d.ts b/index.d.ts
index 7578182fda..c413d8ae1a 100644
--- a/index.d.ts
+++ b/index.d.ts
@@ -326,10 +326,11 @@ declare module 'egg' {
      * @property {String} textLimit - json body size limit, default 1mb
      * @property {Boolean} strict - json body strict mode, if set strict value true, then only receive object and array json body
      * @property {Number} queryString.arrayLimit - from item array length limit, default 100
-     * @property {Number} queryString.depth - json value deep lenght, default 5
-     * @property {Number} queryString.parameterLimit - paramter number limit ,default 1000
-     * @property {string[]} enableTypes - parser will only parse when request type hits enableTypes, default is ['json', 'form']
-     * @property {any} extendTypes - support extend types
+     * @property {Number} queryString.depth - json value deep length, default 5
+     * @property {Number} queryString.parameterLimit - parameter number limit, default 1000
+     * @property {String[]} enableTypes - parser will only parse when request type hits enableTypes, default is ['json', 'form']
+     * @property {Object} extendTypes - support extend types
+     * @property {String} onProtoPoisoning - Defines what action must take when parsing a JSON object with `__proto__`. Possible values are `'error'`, `'remove'` and `'ignore'`. Default is `'error'`, it will return `403` response when `Prototype-Poisoning` happen.
      */
     bodyParser: {
       enable: boolean;
@@ -351,6 +352,8 @@ declare module 'egg' {
         form: string[];
         text: string[];
       };
+      /** Default is `'error'`, it will return `403` response when `Prototype-Poisoning` happen. */
+      onProtoPoisoning: 'error' | 'remove' | 'ignore';
     };
 
     /**
diff --git a/test/app/middleware/body_parser.test.js b/test/app/middleware/body_parser.test.js
index 04f37833ec..04fefcf238 100644
--- a/test/app/middleware/body_parser.test.js
+++ b/test/app/middleware/body_parser.test.js
@@ -98,6 +98,16 @@ describe('test/app/middleware/body_parser.test.js', () => {
       .expect(400);
   });
 
+  it('should 400 when POST with Prototype-Poisoning body', async () => {
+    app.mockCsrf();
+    await app.httpRequest()
+      .post('/test/body_parser/user')
+      .set('content-type', 'application/json')
+      .set('content-encoding', 'gzip')
+      .expect(/unexpected end of file, check bodyParser config/)
+      .expect(400);
+  });
+
   it('should disable body parser', async () => {
     app1 = utils.app('apps/body_parser_testapp_disable');
     await app1.ready();