本文翻譯自:Maximum on http header values?
Is there an accepted maximum allowed size for HTTP headers? HTTP標頭是否存在可接受的最大允許大小? If so, what is it? 如果是這樣,那是什麼? If not, is this something that's server specific or is the accepted standard to allow headers of any size? 如果不是,這是服務器特定的還是允許任何大小的標頭的公認標準?
#1樓
參考:https://stackoom.com/question/2sW1/http標頭值的最大值
#2樓
HTTP does not place a predefined limit on the length of each header field or on the length of the header section as a whole, as described in Section 2.5. HTTP並未對每個標頭字段的長度或整個標頭部分的長度設置預定義的限制,如2.5節所述。 Various ad hoc limitations on individual header field length are found in practice, often depending on the specific field semantics. 在實踐中,通常會根據特定的字段語義找到對各個標頭字段長度的各種特殊限制。
HTTP Header values are restricted by server implementations. HTTP標頭值受服務器實現的限制。 Http specification doesn't restrict header size. Http規範不限制標頭大小。
A server that receives a request header field, or set of fields, larger than it wishes to process MUST respond with an appropriate 4xx (Client Error) status code. 接收到大於其希望處理的請求標頭字段或一組字段的服務器,必須以適當的4xx(客戶端錯誤)狀態碼進行響應。 Ignoring such header fields would increase the server's vulnerability to request smuggling attacks (Section 9.5). 忽略此類標頭字段將增加服務器請求走私攻擊的漏洞(第9.5節)。
Most servers will return 413 Entity Too Large or appropriate 4xx error when this happens. 發生這種情況時,大多數服務器將返回413 Entity Too Large或適當的4xx錯誤。
A client MAY discard or truncate received header fields that are larger than the client wishes to process if the field semantics are such that the dropped value(s) can be safely ignored without changing the message framing or response semantics. 如果字段語義使得在不改變消息成幀或響應語義的情況下可以安全地忽略丟棄的值,則客戶端可以丟棄或截斷大於客戶端希望處理的接收到的報頭字段。
Uncapped HTTP header size keeps the server exposed to attacks and can bring down its capacity to serve organic traffic. HTTP標頭的大小不受限制,使服務器容易受到攻擊,並可能降低其服務自然流量的能力。
#3樓
I also found that in some cases the reason for 502/400 in case of many headers could be because of a large number of headers without regard to size. 我還發現,在某些情況下,如果有許多標頭,則使用502/400的原因可能是由於大量標頭而不考慮大小。 from the docs 從文檔
tune.http.maxhdr Sets the maximum number of headers in a request. tune.http.maxhdr設置請求中標頭的最大數量。 When a request comes with a number of headers greater than this value (including the first line), it is rejected with a "400 Bad Request" status code. 當請求的標頭數量大於此值(包括第一行)時,將使用狀態代碼“ 400 Bad Request”拒絕該請求。 Similarly, too large responses are blocked with "502 Bad Gateway". 同樣,太大的響應將被“ 502 Bad Gateway”阻止。 The default value is 101, which is enough for all usages, considering that the widely deployed Apache server uses the same limit. 考慮到廣泛部署的Apache服務器使用相同的限制,默認值爲101,足以滿足所有使用情況。 It can be useful to push this limit further to temporarily allow a buggy application to work by the time it gets fixed. 進一步推動此限制可能很有用,以便在有問題的應用程序修復後暫時允許其運行。 Keep in mind that each new header consumes 32bits of memory for each session, so don't push this limit too high. 請記住,每個新標頭在每個會話中都會佔用32位內存,因此請不要將此限制過高。
https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#3.2-tune.http.maxhdr https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#3.2-tune.http.maxhdr
#4樓
No, HTTP does not define any limit. 不,HTTP沒有定義任何限制。 However most web servers do limit size of headers they accept. 但是,大多數Web服務器確實會限制它們接受的標頭的大小。 For example in Apache default limit is 8KB, in IIS it's 16K . 例如,在Apache中,默認限制爲8KB,在IIS中, 默認限制爲16K 。 Server will return 413 Entity Too Large error if headers size exceeds that limit. 如果標頭大小超過該限制,服務器將返回413 Entity Too Large錯誤。
Related question: How big can a user agent string get? 相關問題: 用戶代理字符串可以達到多大?
#5樓
As vartec says above, the HTTP spec does not define a limit, however many servers do by default. 就像vartec上面說的那樣,HTTP規範沒有定義限制,但是默認情況下許多服務器都做了限制。 This means, practically speaking, the lower limit is 8K . 實際上,這意味着下限是8K 。 For most servers, this limit applies to the sum of the request line and ALL header fields (so keep your cookies short). 對於大多數服務器,此限制適用於請求行和ALL標頭字段的總和 (因此,請確保您的Cookie簡短)。
- Apache 2.0 , 2.2 : 8K 的Apache 2.0 , 2.2 :8K
- nginx : 4K - 8K nginx : 4K -8K
- IIS: varies by version , 8K - 16K IIS: 不同版本 , 8K -16K
- Tomcat: varies by version , 8K - 48K (?!) Tomcat: 因版本而異 , 8K -48K(?!)
It's worth noting that nginx uses the system page size by default, which is 4K on most systems. 值得注意的是,nginx默認使用系統頁面大小,在大多數系統上爲4K。 You can check with this tiny program: 您可以使用以下小程序進行檢查:
pagesize.c: pagesize.c:
#include <unistd.h>
#include <stdio.h>
int main() {
int pageSize = getpagesize();
printf("Page size on your system = %i bytes\n", pageSize);
return 0;
}
Compile with gcc -o pagesize pagesize.c then run ./pagesize . 使用gcc -o pagesize pagesize.c進行編譯,然後運行./pagesize 。 My ubuntu server from Linode dutifully informs me the answer is 4k. 我來自Linode的 ubuntu服務器忠實地告訴我答案是4k。