What is the limit on QueryString / GET / URL parameters

HttpQuery String

Http Problem Overview

What is the limit on QueryString / GET / URL parameters

Http Solutions

Solution 1 - Http

There is no limit in theory. For HTTP URLs, the HTTP 1.1 specification states:

> The HTTP protocol does not place any a priori limit on the length of a URI. Servers MUST be able to handle the URI of any resource they serve, and SHOULD be able to handle URIs of unbounded length if they provide GET-based forms that could generate such URIs. A server SHOULD return 414 (Request-URI Too Long) status if a URI is longer than the server can handle (see section 10.4.15).

But in practice, many clients and servers do only support URLs up to a certain length. The rule of thumb is not to use URLs longer than 2000 characters (percent encoding already taken into account).

Solution 2 - Http

There is no defined limit. However, RFC 2068 states:

> The HTTP protocol does not place any a priori limit on the length of a URI. Servers MUST be able to handle the URI of any resource they serve, and SHOULD be able to handle URIs of unbounded length if they provide GET-based forms that could generate such URIs. A server SHOULD return 414 (Request-URI Too Long) status if a URI is longer than the server can handle (see section 10.4.15). Note: Servers should be cautious about depending on URI lengths above 255 bytes, because some older client or proxy implementations may not properly support these lengths.

Solution 3 - Http

Although officially there is no limit specified by RFC 2616, many security protocols and recommendations state that maxQueryStrings on a server should be set to a maximum character limit of 1024. While the entire URL, including the querystring, should be set to a max of 2048 characters. This is to prevent the Slow HTTP Request DDOS vulnerability on a web server. This typically shows up as a vulnerability on the Qualys Web Application Scanner and other security scanners.

Please see the below exampple code for Windows IIS Servers with Web.config:

This would also work on a server level using machine.config.

Note: Limiting query string and URL length may not completely prevent Slow HTTP Requests DDOS attack but it is one step you can take to prevent it.

Categories
Recommended Http Solutions
Recommended Query String Solutions

Previous Solution:

How do code coverage tools work?

Code Coverage

Next Solution:

add a temporary column with a value

SqlMysql

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionLalchandView Question on Stackoverflow
Solution 1 - HttpGumboView Answer on Stackoverflow
Solution 2 - HttpMatteo MoscaView Answer on Stackoverflow
Solution 3 - HttpTroyStevenView Answer on Stackoverflow