I have a web application that adds contextual information to XmlHttpRequest objects using the setRequestHeader API. I am using a custom header name (e.g. X-Foo) and a JSON structured value. It isn't part of the URL QueryString or POST body because it is meta information about the request.
我有一个Web应用程序,它使用setRequestHeader API向XmlHttpRequest对象添加上下文信息。我正在使用自定义标头名称(例如X-Foo)和JSON结构化值。它不是URL QueryString或POST正文的一部分,因为它是有关请求的元信息。
Is there a practical size limit to the header value? If my JSON gets truncated, it becomes unparseable. I am most concerned with limits in Apache 2, Tomcat 6 and IIS 7. I did a Google search for http header length limit, but many of the results seem dated. There are some relevant comments in How big can a user agent string get? but not as specific as I would like.
标头值是否有实际大小限制?如果我的JSON被截断,它就变得无法解析。我最关心的是Apache 2,Tomcat 6和IIS 7中的限制。我在Google上搜索了http标头长度限制,但许多结果似乎过时了。用户代理字符串有多大可以得到一些相关的评论?但不像我想的那样具体。
Edit: I just ran across this similar question - Maximum on http header values?
编辑:我刚刚遇到这个类似的问题 - 最大的HTTP标头值?
5 个解决方案
#1
Yes, but the limits are configurable and dependent on platform. For example, Tomcat has a default limit of 8K. I believe that IIS 6, not sure about IIS 7, has a limit of 16K. I ran into this when using integrated windows authentication for several web sites. Turns out my security token was too large when encoded into the header. Fortunately, these are configurable. Registry settings for IIS can be found at http://support.microsoft.com/kb/820129. I believe the key settings to change are MaxFieldLength (per header size) and MaxRequestBytes (total size of request).
是的,但限制是可配置的并且取决于平台。例如,Tomcat的默认限制为8K。我相信IIS 6,不确定IIS 7,有16K的限制。我在几个网站上使用集成的Windows身份验证时遇到了这个问题。当编码到标头中时,我的安全令牌太大了。幸运的是,这些都是可配置的。可以在http://support.microsoft.com/kb/820129找到IIS的注册表设置。我认为要更改的关键设置是MaxFieldLength(每个标头大小)和MaxRequestBytes(请求的总大小)。
#2
Although each web server software has some limitations, there is a difference whether there’s a limit for the HTTP request line plus header fields or for each header field.
尽管每个Web服务器软件都有一些限制,但是HTTP请求行加上标题字段或每个标题字段是否存在限制。
Here’s a summary:
这是一个总结:
- Apache 1.3, 2.0, 2.2, 2.3: 8190 Bytes (for each header field)
- IIS:
- 4.0: 2097152 Bytes (for the request line plus header fields)
- 5.0: 131072 Bytes, 16384 Bytes with Windows 2000 Service Pack 4 (for the request line plus header fields)
- 6.0: 16384 Bytes (for each header fields)
4.0:2097152字节(对于请求行和标题字段)
5.0:131072字节,带有Windows 2000 Service Pack 4的16384字节(对于请求行和标题字段)
6.0:16384字节(对于每个标题字段)
- Tomcat:
Apache 1.3,2.0,2.2,2.3:8190字节(对于每个标题字段)
IIS:4.0:2097152字节(对于请求行和标题字段)5.0:131072字节,16384字节与Windows 2000 Service Pack 4(对于请求行和标题字段)6.0:16384字节(对于每个标题字段)
Tomcat:5.5.x / 6.0.x:49152字节(对于请求行和标题字段)7.0.x:8190字节(对于请求行和标题字段)
So to conclude: To be accepted by all web servers above, a request’s request line plus header fields should not exceed 8190 Bytes. This is also the limit for each header fields (effectively even less).
因此得出结论:要被上面的所有Web服务器接受,请求的请求行和标题字段不应超过8190字节。这也是每个标题字段的限制(实际上甚至更少)。
#3
For Apache, I found this Server Limits for Apache Security article that lists these directives:
对于Apache,我发现这个Apache安全服务器限制文章列出了这些指令:
# allow up to 100 headers in a request
LimitRequestFields 100
# each header may be up to 8190 bytes long
LimitRequestFieldsize 8190
For Nginx, the large_client_header_buffers directive from HttpCoreModule controls this:
对于Nginx,来自HttpCoreModule的large_client_header_buffers指令控制:
The longest header line of request also must be not more than the size of one buffer, otherwise the client get the error "Bad request" (400).
请求的最长标题行也必须不超过一个缓冲区的大小,否则客户端会收到错误“错误请求”(400)。
By default the size of one buffer is equal to the size of page, depending on platform this either 4K or 8K
默认情况下,一个缓冲区的大小等于页面大小,具体取决于平台4K或8K
#4
While you can configure the server, it's unlikely that you really can configure the whole way through firewalls, load balancers and proxies. Keeping the header size small keeps problems away.
虽然您可以配置服务器,但您不太可能真正配置防火墙,负载平衡器和代理的整个过程。保持标题大小不会使问题消失。
#5
The Flash Media Server 4.5 has a very short default header length limit which can cause the server to simply not respond, particularly in circumstances where there is a moderate cookie load.
Flash Media Server 4.5具有非常短的默认标头长度限制,这可能导致服务器无法响应,尤其是在存在中等cookie负载的情况下。
请参阅:Flash Media Server 4.5配置和管理:配置服务器配置Apache HTTP Server:指定最大HTTP标头行长度
In the Flash Media Server Adaptor.xml file, the
MaxHeaderLineLengthelement determines the size of the HTTP header the server can handle. The default value forMaxHeaderLineLengthis 1024 bytes. Some browsers send a header larger than 1024 bytes. In this scenario, Apache sends back an empty response. To fix this issue, configureMaxHeaderLineLengthto 8192.在Flash Media Server Adaptor.xml文件中,MaxHeaderLineLength元素确定服务器可以处理的HTTP标头的大小。 MaxHeaderLineLength的默认值为1024字节。某些浏览器发送大于1024字节的标头。在这种情况下,Apache会发回一个空响应。要解决此问题,请将MaxHeaderLineLength配置为8192。
Note: By default, the Apache HTTP header size limit is 8 KB (8190 bytes plus a carriage return).
注意:默认情况下,Apache HTTP标头大小限制为8 KB(8190字节加回车符)。
Putting this here in case the header size limit on Flash Media Server bites someone else.
将此设置在此处,以防Flash Media Server上的标头大小限制咬住其他人。
#1
Yes, but the limits are configurable and dependent on platform. For example, Tomcat has a default limit of 8K. I believe that IIS 6, not sure about IIS 7, has a limit of 16K. I ran into this when using integrated windows authentication for several web sites. Turns out my security token was too large when encoded into the header. Fortunately, these are configurable. Registry settings for IIS can be found at http://support.microsoft.com/kb/820129. I believe the key settings to change are MaxFieldLength (per header size) and MaxRequestBytes (total size of request).
是的,但限制是可配置的并且取决于平台。例如,Tomcat的默认限制为8K。我相信IIS 6,不确定IIS 7,有16K的限制。我在几个网站上使用集成的Windows身份验证时遇到了这个问题。当编码到标头中时,我的安全令牌太大了。幸运的是,这些都是可配置的。可以在http://support.microsoft.com/kb/820129找到IIS的注册表设置。我认为要更改的关键设置是MaxFieldLength(每个标头大小)和MaxRequestBytes(请求的总大小)。
#2
Although each web server software has some limitations, there is a difference whether there’s a limit for the HTTP request line plus header fields or for each header field.
尽管每个Web服务器软件都有一些限制,但是HTTP请求行加上标题字段或每个标题字段是否存在限制。
Here’s a summary:
这是一个总结:
- Apache 1.3, 2.0, 2.2, 2.3: 8190 Bytes (for each header field)
- IIS:
- 4.0: 2097152 Bytes (for the request line plus header fields)
- 5.0: 131072 Bytes, 16384 Bytes with Windows 2000 Service Pack 4 (for the request line plus header fields)
- 6.0: 16384 Bytes (for each header fields)
4.0:2097152字节(对于请求行和标题字段)
5.0:131072字节,带有Windows 2000 Service Pack 4的16384字节(对于请求行和标题字段)
6.0:16384字节(对于每个标题字段)
- Tomcat:
Apache 1.3,2.0,2.2,2.3:8190字节(对于每个标题字段)
IIS:4.0:2097152字节(对于请求行和标题字段)5.0:131072字节,16384字节与Windows 2000 Service Pack 4(对于请求行和标题字段)6.0:16384字节(对于每个标题字段)
Tomcat:5.5.x / 6.0.x:49152字节(对于请求行和标题字段)7.0.x:8190字节(对于请求行和标题字段)
So to conclude: To be accepted by all web servers above, a request’s request line plus header fields should not exceed 8190 Bytes. This is also the limit for each header fields (effectively even less).
因此得出结论:要被上面的所有Web服务器接受,请求的请求行和标题字段不应超过8190字节。这也是每个标题字段的限制(实际上甚至更少)。
#3
For Apache, I found this Server Limits for Apache Security article that lists these directives:
对于Apache,我发现这个Apache安全服务器限制文章列出了这些指令:
# allow up to 100 headers in a request
LimitRequestFields 100
# each header may be up to 8190 bytes long
LimitRequestFieldsize 8190
For Nginx, the large_client_header_buffers directive from HttpCoreModule controls this:
对于Nginx,来自HttpCoreModule的large_client_header_buffers指令控制:
The longest header line of request also must be not more than the size of one buffer, otherwise the client get the error "Bad request" (400).
请求的最长标题行也必须不超过一个缓冲区的大小,否则客户端会收到错误“错误请求”(400)。
By default the size of one buffer is equal to the size of page, depending on platform this either 4K or 8K
默认情况下,一个缓冲区的大小等于页面大小,具体取决于平台4K或8K
#4
While you can configure the server, it's unlikely that you really can configure the whole way through firewalls, load balancers and proxies. Keeping the header size small keeps problems away.
虽然您可以配置服务器,但您不太可能真正配置防火墙,负载平衡器和代理的整个过程。保持标题大小不会使问题消失。
#5
The Flash Media Server 4.5 has a very short default header length limit which can cause the server to simply not respond, particularly in circumstances where there is a moderate cookie load.
Flash Media Server 4.5具有非常短的默认标头长度限制,这可能导致服务器无法响应,尤其是在存在中等cookie负载的情况下。
请参阅:Flash Media Server 4.5配置和管理:配置服务器配置Apache HTTP Server:指定最大HTTP标头行长度
In the Flash Media Server Adaptor.xml file, the
MaxHeaderLineLengthelement determines the size of the HTTP header the server can handle. The default value forMaxHeaderLineLengthis 1024 bytes. Some browsers send a header larger than 1024 bytes. In this scenario, Apache sends back an empty response. To fix this issue, configureMaxHeaderLineLengthto 8192.在Flash Media Server Adaptor.xml文件中,MaxHeaderLineLength元素确定服务器可以处理的HTTP标头的大小。 MaxHeaderLineLength的默认值为1024字节。某些浏览器发送大于1024字节的标头。在这种情况下,Apache会发回一个空响应。要解决此问题,请将MaxHeaderLineLength配置为8192。
Note: By default, the Apache HTTP header size limit is 8 KB (8190 bytes plus a carriage return).
注意:默认情况下,Apache HTTP标头大小限制为8 KB(8190字节加回车符)。
Putting this here in case the header size limit on Flash Media Server bites someone else.
将此设置在此处,以防Flash Media Server上的标头大小限制咬住其他人。