When a browser sends too much data in the HTTP header, a web server will (most likely) refuse the request. The most typical errors in this situation are 400 Bad Request or 413 Payload Too Large or 413 Request Entity Too Large.
Although the header size should in general be kept small (smaller = faster), there are many web applications storing a lot of data in the HTTP header. A very well known source of big data is the "Cookie" header which sometimes stores a lot of data. But also any other header field can be used to store additional data – there is no hard limit defined on how much data is allowed in a HTTP header. Or is there?
Each server application receiving and responding to HTTP requests has a default maximum size of the full HTTP header. Depending on the type of web or application server, these default values can differ and result in different behaviour when data is passed through multiple applications.
The above drawing represents a basic architecture of a web application deployed in two locations. Before finally landing on the application server, the HTTP request needs to pass through multiple application servers before, serving as reverse proxy servers.
If, for whatever reason, the HTTP headers really need to have so much data, the default maximum limits may need to be increased on all involved application servers. To know whether or not an increase is necessary, we've prepared the following table for a quick lookup.
Updated comparison of max http header size
This list is based on the article Debugging a HTTP 400 Bad Request error and will be updated on a regular basis. It should serve as an up to date reference point to quickly look up the default values of maximum header size on different HTTP servers.
|HTTP Server||Setting / Option name||Default value|
|Golang||MaxHeaderBytes (to override default)|
1 << 20 // 1 MB
|HAProxy||tune.bufsize / tune.maxrewrite||16384 / half of bufsize|
|IIS 5.x /w Win 2k SP4||MaxClientRequestBuffer||16K|
|IIS 6.x and later||MaxRequestBytes||16K|
|Node.js < v13.13.0||–max-http-header-size||8KB|
|Node.js >= v13.13.0||–max-http-header-size||16KB|
|Tomcat 6 and later||maxHttpHeaderSize||8192|
|Wildfly 10 and later||max-header-size||1048576|