HTTP 标头值的最大值?
HTTP 标头是否有可接受的最大允许大小? 如果是的话,那是什么? 如果不是,这是特定于服务器的内容还是允许任何大小的标头的公认标准?
Is there an accepted maximum allowed size for HTTP headers? If so, what is it? If not, is this something that's server specific or is the accepted standard to allow headers of any size?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
不,HTTP 没有定义任何限制。 然而,大多数网络服务器确实限制它们接受的标头的大小。 例如,Apache 默认限制是 8KB,在 IIS 16K。 如果标头大小超过该限制,服务器将返回
413 Entity Too Large
错误。相关问题:用户代理字符串可以有多大?
No, HTTP does not define any limit. However most web servers do limit size of headers they accept. For example in Apache default limit is 8KB, in IIS it's 16K. Server will return
413 Entity Too Large
error if headers size exceeds that limit.Related question: How big can a user agent string get?
正如 vartec 上面所说,HTTP 规范没有定义限制,但许多服务器默认情况下都定义了限制。 这意味着,实际上,下限是8K。 对于大多数服务器,此限制适用于请求行和所有标头字段的总和(因此请保持 cookie 简短)。
值得注意的是,nginx 默认使用系统页面大小,在大多数系统上为 4K。 您可以使用这个小程序进行检查:
pagesize.c:
使用
gcc -o pagesize pagesize.c
编译,然后运行./pagesize
。 我的 Linode 的 ubuntu 服务器尽职尽责地告诉我答案是 4k。As vartec says above, the HTTP spec does not define a limit, however many servers do by default. This means, practically speaking, the lower limit is 8K. For most servers, this limit applies to the sum of the request line and ALL header fields (so keep your cookies short).
It's worth noting that nginx uses the system page size by default, which is 4K on most systems. You can check with this tiny program:
pagesize.c:
Compile with
gcc -o pagesize pagesize.c
then run./pagesize
. My ubuntu server from Linode dutifully informs me the answer is 4k.这是最流行的 Web 服务器的限制
Here is the limit of most popular web server
HTTP 标头值受服务器实现的限制。 HTTP 规范不限制标头大小。
发生这种情况时,大多数服务器将返回
413 Entity Too Large
或相应的 4xx 错误。不受限制的 HTTP 标头大小使服务器容易受到攻击,并可能降低其服务自然流量的能力。
来源
HTTP Header values are restricted by server implementations. Http specification doesn't restrict header size.
Most servers will return
413 Entity Too Large
or appropriate 4xx error when this happens.Uncapped HTTP header size keeps the server exposed to attacks and can bring down its capacity to serve organic traffic.
Source
2011 年的 RFC 6265 规定了对 Cookie 的具体限制。
RFC 的目标受众是用户代理或服务器必须支持的内容。 看来要调整您的服务器以支持浏览器允许的内容,您需要将 4096*50 配置为限制。 正如下面的文字所示,这似乎远远超出了典型 Web 应用程序的需要。 使用电流限制和 RFC 概述的上限并比较较高配置的内存和 IO 后果将很有用。
RFC 6265, dated 2011, prescribes specific limits on cookies.
The intended audience of the RFC is what must be supported by a user-agent or a server. It appears that to tune your server to support what the browser allows you would need to configure 4096*50 as the limit. As the text that follows suggests, this does appear to be far in excess of what is needed for the typical web application. It would be useful to use the current limit and the RFC outlined upper limit and compare the memory and IO consequences of the higher configuration.
我还发现,在某些情况下,在许多标头的情况下出现 502/400 的原因可能是因为存在大量标头,而不考虑大小。
从文档
https://cbonte.github.io/ haproxy-dconv/configuration-1.5.html#3.2-tune.http.maxhdr
I also found that in some cases the reason for 502/400 in case of many headers could be because of a large number of headers without regard to size.
from the docs
https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#3.2-tune.http.maxhdr
如果您打算使用 Akamai 等任何 DDOS 提供商,他们的响应标头大小最大限制为 8k。 因此,本质上尝试将响应标头大小限制在 8k 以下。
If you are going to use any DDOS provider like Akamai, they have a maximum limitation of 8k in the response header size. So essentially try to limit your response header size below 8k.