By When a browser sends too much data in the HTTP header, a web server will (most likely) refuse the request. The most typical errors in this situation are 400 Bad Request or 413 Payload Too Large or 413 Request Entity Too Large.
Although the header size should in general be kept small (smaller = faster), there are many web applications storing a lot of data in the HTTP header. A very well known source of big data is the "Cookie" header which sometimes stores a lot of data. But also any other header field can be used to store additional data – there is no hard limit defined on how much data is allowed in a HTTP header. Or is there?
Each server application receiving and responding to HTTP requests has a default maximum size of the full HTTP header. Depending on the type of web or application server, these default values can differ and result in different behaviour when data is passed through multiple applications.
Updated comparison of max http header size
This list is based on the article Debugging a HTTP 400 Bad Request error and will be updated on a regular basis. It should serve as an up to date reference point to quickly look up the default values of maximum header size on different HTTP servers.
| HTTP Server | Setting / Option name | Default value |
| Apache 2.2 | LimitRequestFieldSize | 8190 |
| Apache 2.4 | LimitRequestFieldSize | 8190 |
| Golang | MaxHeaderBytes (to override default) DefaultMaxHeaderBytes (default) | none 1 << 20 // 1 MB |
| HAProxy | tune.bufsize / tune.maxrewrite | 16384 / half of bufsize |
| IIS 4.x | MaxClientRequestBuffer | 2M |
| IIS 5.x | MaxClientRequestBuffer | 128K |
| IIS 5.x /w Win 2k SP4 | MaxClientRequestBuffer | 16K |
| IIS 6.x and later | MaxRequestBytes | 16K |
| Lighttpd | server.max-request-field-size | none |
| LiteSpeed | maxReqHeaderSize | 16380 |
| Nginx | large_client_header_buffers | 4 8k |
| Node.js < v13.13.0 | –max-http-header-size | 8KB |
| Node.js >= v13.13.0 | –max-http-header-size | 16KB |
| Tomcat 5.5 | maxHttpHeaderSize | 4096 |
| Tomcat 6 and later | maxHttpHeaderSize | 8192 |
| Traefik | same as Golang, see Golang above | see Golang |
| Varnish | http_req_hdr_len | 8k |
| Wildfly 10 and later | max-header-size | 1048576 |
