ArticlesInternetOpen Source Software

Maximum HTTP request header size defaults compared across web servers

When a browser sends too much data in the HTTP header, a web server will (most likely) refuse the request. The most typical errors in this situation are 400 Bad Request or 413 Payload Too Large or 413 Request Entity Too Large.

Although the header size should in general be kept small (smaller = faster), there are many web applications storing a lot of data in the HTTP header. A very well known source of big data is the "Cookie" header which sometimes stores a lot of data. But also any other header field can be used to store additional data – there is no hard limit defined on how much data is allowed in a HTTP header. Or is there?

Each server application receiving and responding to HTTP requests has a default maximum size of the full HTTP header. Depending on the type of web or application server, these default values can differ and result in different behaviour when data is passed through multiple applications.

Dataflow of HTTP request going through multiple applications

The above drawing represents a basic architecture of a web application deployed in two locations. Before finally landing on the application server, the HTTP request needs to pass through multiple application servers before, serving as reverse proxy servers.

If, for whatever reason, the HTTP headers really need to have so much data, the default maximum limits may need to be increased on all involved application servers. To know whether or not an increase is necessary, we've prepared the following table for a quick lookup.

Updated comparison of max http header size

This list is based on the article Debugging a HTTP 400 Bad Request error and will be updated on a regular basis. It should serve as an up to date reference point to quickly look up the default values of maximum header size on different HTTP servers.

HTTP ServerSetting / Option nameDefault value
Apache 2.2LimitRequestFieldSize8190
Apache 2.4LimitRequestFieldSize8190
GolangMaxHeaderBytes (to override default)
DefaultMaxHeaderBytes (default)
none
1 << 20 // 1 MB
HAProxytune.bufsize / tune.maxrewrite16384 / half of bufsize
IIS 4.xMaxClientRequestBuffer2M
IIS 5.xMaxClientRequestBuffer128K
IIS 5.x /w Win 2k SP4MaxClientRequestBuffer16K
IIS 6.x and laterMaxRequestBytes16K
Lighttpdserver.max-request-field-sizenone
LiteSpeedmaxReqHeaderSize16380
Nginxlarge_client_header_buffers4 8k
Node.js < v13.13.0–max-http-header-size8KB
Node.js >= v13.13.0–max-http-header-size16KB
Tomcat 5.5maxHttpHeaderSize4096
Tomcat 6 and latermaxHttpHeaderSize8192
Wildfly 10 and latermax-header-size1048576
Claudio Kuenzler
Claudio has been writing way over 1000 articles on his own blog since 2008 already. He is fascinated by technology, especially Open Source Software. As a Senior Systems Engineer he has seen and solved a lot of problems - and writes about them.

Leave a reply

Your email address will not be published. Required fields are marked *

More in:Articles