views:

3429

answers:

3

I have a web application that adds contextual information to XmlHttpRequest objects using the setRequestHeader API. I am using a custom header name (e.g. X-Foo) and a JSON structured value. It isn't part of the URL QueryString or POST body because it is meta information about the request.

Is there a practical size limit to the header value? If my JSON gets truncated, it becomes unparseable. I am most concerned with limits in Apache 2, Tomcat 6 and IIS 7. I did a Google search for http header length limit, but many of the results seem dated. There are some relevant comments in How big can a user agent string get? but not as specific as I would like.

Edit: I just ran across this similar question - Maximum on http header values?

+6  A: 

Yes, but the limits are configurable and dependent on platform. For example, Tomcat has a default limit of 8K. I believe that IIS 6, not sure about IIS 7, has a limit of 16K. I ran into this when using integrated windows authentication for several web sites. Turns out my security token was too large when encoded into the header. Fortunately, these are configurable. Registry settings for IIS can be found at http://support.microsoft.com/kb/820129. I believe the key settings to change are MaxFieldLength (per header size) and MaxRequestBytes (total size of request).

tvanfosson
I did find this link on MSDN to set IIS header limits for a specific header - http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering/requestLimits/headerLimits
Kevin Hakanson
+4  A: 

For Apache, I found this Server Limits for Apache Security article that lists these directives:

  # allow up to 100 headers in a request
  LimitRequestFields 100
  # each header may be up to 8190 bytes long
  LimitRequestFieldsize 8190
Kevin Hakanson
A: 

http://www.boutell.com/newfaq/misc/urllength.html

chukhanhvan
the question is about headers not url's
fuzzy lollipop