Is there a practical HTTP Header length limit?

I have a web application that adds contextual information to XmlHttpRequest objects using the setRequestHeader API. I am using a custom header name (e.g. X-Foo) and a JSON structured value. It isn't part of the URL QueryString or POST body because it is meta information about the request.

Is there a practical size limit to the header value? If my JSON gets truncated, it becomes unparseable. I am most concerned with limits in Apache 2, Tomcat 6 and IIS 7. I did a Google search for http header length limit, but many of the results seem dated. There are some relevant comments in How big can a user agent string get? but not as specific as I would like.

Edit: I just ran across this similar question - Maximum on http header values?

Although each web server software has some limitations, there is a difference whether there’s a limit for the HTTP request line plus header fields or for each header field.

Here’s a summary:

• Apache 1.3, 2.0, 2.2, 2.3: 8190 Bytes (for each header field)
• IIS:
  • 4.0: 2097152 Bytes (for the request line plus header fields)
  • 5.0: 131072 Bytes, 16384 Bytes with Windows 2000 Service Pack 4 (for the request line plus header fields)
  • 6.0: 16384 Bytes (for each header fields)
• Tomcat:
  • 5.5.x/6.0.x: 49152 Bytes (for the request line plus header fields)
  • 7.0.x: 8190 Bytes (for the request line plus header fields)

So to conclude: To be accepted by all web servers above, a request’s request line plus header fields should not exceed 8190 Bytes. This is also the limit for each header fields (effectively even less).

Yes, but the limits are configurable and dependent on platform. For example, Tomcat has a default limit of 8K. I believe that IIS 6, not sure about IIS 7, has a limit of 16K. I ran into this when using integrated windows authentication for several web sites. Turns out my security token was too large when encoded into the header. Fortunately, these are configurable. Registry settings for IIS can be found at http://support.microsoft.com/kb/820129. I believe the key settings to change are MaxFieldLength (per header size) and MaxRequestBytes (total size of request).

For Apache, I found this Server Limits for Apache Security article that lists these directives:

  # allow up to 100 headers in a request
  LimitRequestFields 100
  # each header may be up to 8190 bytes long
  LimitRequestFieldsize 8190

For Nginx, the large_client_header_buffers directive from HttpCoreModule controls this:

> The longest header line of request also must be not more than the size > of one buffer, otherwise the client get the error "Bad request" (400). > > By default the size of one buffer is equal to the size of page, > depending on platform this either 4K or 8K

While you can configure the server, it's unlikely that you really can configure the whole way through firewalls, load balancers and proxies. Keeping the header size small keeps problems away.

The Flash Media Server 4.5 has a very short default header length limit which can cause the server to simply not respond, particularly in circumstances where there is a moderate cookie load.

See: Flash Media Server 4.5 Configuration and Administration: Configuring the server Configuring Apache HTTP Server: Specify the maximum HTTP header line length

> In the Flash Media Server Adaptor.xml file, the MaxHeaderLineLength > element determines the size of the HTTP header the server can handle. > The default value for MaxHeaderLineLength is 1024 bytes. Some browsers > send a header larger than 1024 bytes. In this scenario, Apache sends > back an empty response. To fix this issue, configure > MaxHeaderLineLength to 8192. > > Note: By default, the Apache HTTP header size limit is 8 KB (8190 bytes plus a carriage return).

Putting this here in case the header size limit on Flash Media Server bites someone else.