Why need to set limit with http request header? - Apache - PhpOut

namnv
October 14, 2021
246 views
0 votes
2 Answers

Why need to set limit with http request header?

Everyone knows that the request header is limited( tomcat 8k…),
but I can’t find any information why it should be.

Is it related to buffer overflow attacks?

Thank you.

Tags: apache http request webserver

Answers

Chosen as BEST ANSWER
- namnv
- October 14, 2021 at 6:09 pm
- 0 votes
0
I think I found the answer to my curiosity in the apache security book.

Properly configured limits mitigate buffer overflow exploits, preventing Denial of Service (DoS) attacks.

(Edit)

- Evert
- October 14, 2021 at 6:07 am
- 0 votes
0
HTTP doesn’t impose limits.

However, if server doesn’t impose limits it means that a client could (for example) make a HTTP requests with a header that’s many gigabytes in size.

If the server did not set a limit, it would mean that the server has to wait until the client is done sending the header, and in the meanwhile the server has to collect this header in memory, perhaps even exceeding the total memory of the server.

If this were possible, clients could construct HTTP requests that crash servers. To prevent this, servers set limits.

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.