Apache Tomcat and http header max size

By | December 12, 2024
0 Comment

I recently encountered an interesting issue that I thought might be worth sharing, as it relates to the common practice of limiting incoming requests based on certain parameters like restricting the size of headers. This kind of restriction is typically implemented by web servers (e.g., Apache, Nginx, etc.) to prevent various attacks, such as buffer overflows or denial of service (DoS) attacks.

The problem was related to the OpenGrok and a huge amount of locally indexed documents, so when I tried to search something I got the error

Type Exception Report

Message Request header is too large

To work around these limits, many web servers also provide configuration options that allow developers to adjust the defaults. In my case, while working on a project that was being indexed, I ran into a situation where the default header size limit was set to 8 KB. This behavior is common in many web servers, as well as application servers, and can be configured when needed.

A related issue I’ve noticed occurs with JSON Web Tokens (JWTs). When JWTs grow too large – often due to an excessive number of roles or additional data included in their payload – they can exceed the server’s default header size limits, especially when sent in the Authorization header. This problem becomes even more prominent in systems where tokens carry a lot of metadata or permissions.

Here’s how I typically approach these scenarios:

  1. Adjust server configurations: Most web servers allow you to increase the maximum header size. For example, Nginx has a large_client_header_buffers directive that can be tuned to accept larger headers.
  2. Optimize JWT payloads: Instead of cramming too much information into the token, consider reducing the payload size by encoding only essential data. Alternatively, store additional information server-side and reference it using a shorter token.
  3. Use approaches like distributed authorization for JWT token (see Styra DAS, Distributed authorization with OPAL)

To fix this on Apache Tomcat just configure maxHttpHeaderSize parameter of Connector

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443"
           maxHttpHeaderSize="65536" />

Leave a Reply