http标头值的最大值？

本文翻译自：Maximum on http header values?

Is there an accepted maximum allowed size for HTTP headers? HTTP标头是否存在可接受的最大允许大小？ If so, what is it? 如果是这样，那是什么？ If not, is this something that's server specific or is the accepted standard to allow headers of any size? 如果不是，这是服务器特定的还是允许任何大小的标头的公认标准？

---

#1楼

参考：https://stackoom.com/question/2sW1/http标头值的最大值

---

#2楼

HTTP does not place a predefined limit on the length of each header field or on the length of the header section as a whole, as described in Section 2.5. HTTP并未对每个标头字段的长度或整个标头部分的长度设置预定义的限制，如2.5节所述。 Various ad hoc limitations on individual header field length are found in practice, often depending on the specific field semantics. 在实践中，通常会根据特定的字段语义找到对各个标头字段长度的各种特殊限制。

HTTP Header values are restricted by server implementations. HTTP标头值受服务器实现的限制。 Http specification doesn't restrict header size. Http规范不限制标头大小。

A server that receives a request header field, or set of fields, larger than it wishes to process MUST respond with an appropriate 4xx (Client Error) status code. 接收到大于其希望处理的请求标头字段或一组字段的服务器，必须以适当的4xx（客户端错误）状态码进行响应。 Ignoring such header fields would increase the server's vulnerability to request smuggling attacks (Section 9.5). 忽略此类标头字段将增加服务器请求走私攻击的漏洞（第9.5节）。

Most servers will return 413 Entity Too Large or appropriate 4xx error when this happens. 发生这种情况时，大多数服务器将返回413 Entity Too Large或适当的4xx错误。

A client MAY discard or truncate received header fields that are larger than the client wishes to process if the field semantics are such that the dropped value(s) can be safely ignored without changing the message framing or response semantics. 如果字段语义使得在不改变消息成帧或响应语义的情况下可以安全地忽略丢弃的值，则客户端可以丢弃或截断大于客户端希望处理的接收到的报头字段。

Uncapped HTTP header size keeps the server exposed to attacks and can bring down its capacity to serve organic traffic. HTTP标头的大小不受限制，使服务器容易受到攻击，并可能降低其服务自然流量的能力。

Source 资源

---

#3楼

I also found that in some cases the reason for 502/400 in case of many headers could be because of a large number of headers without regard to size. 我还发现，在某些情况下，如果有许多标头，则使用502/400的原因可能是由于大量标头而不考虑大小。 from the docs 从文档

tune.http.maxhdr Sets the maximum number of headers in a request. tune.http.maxhdr设置请求中标头的最大数量。 When a request comes with a number of headers greater than this value (including the first line), it is rejected with a "400 Bad Request" status code. 当请求的标头数量大于此值（包括第一行）时，将使用状态代码“ 400 Bad Request”拒绝该请求。 Similarly, too large responses are blocked with "502 Bad Gateway". 同样，太大的响应将被“ 502 Bad Gateway”阻止。 The default value is 101, which is enough for all usages, considering that the widely deployed Apache server uses the same limit. 考虑到广泛部署的Apache服务器使用相同的限制，默认值为101，足以满足所有使用情况。 It can be useful to push this limit further to temporarily allow a buggy application to work by the time it gets fixed. 进一步推动此限制可能很有用，以便在有问题的应用程序修复后暂时允许其运行。 Keep in mind that each new header consumes 32bits of memory for each session, so don't push this limit too high. 请记住，每个新标头在每个会话中都会占用32位内存，因此请不要将此限制过高。

https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#3.2-tune.http.maxhdr https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#3.2-tune.http.maxhdr

---

#4楼

No, HTTP does not define any limit. 不，HTTP没有定义任何限制。 However most web servers do limit size of headers they accept. 但是，大多数Web服务器确实会限制它们接受的标头的大小。 For example in Apache default limit is 8KB, in IIS it's 16K . 例如，在Apache中，默认限制为8KB，在IIS中， 默认限制为16K 。 Server will return 413 Entity Too Large error if headers size exceeds that limit. 如果标头大小超过该限制，服务器将返回413 Entity Too Large错误。

Related question: How big can a user agent string get? 相关问题： 用户代理字符串可以达到多大？

---

#5楼

As vartec says above, the HTTP spec does not define a limit, however many servers do by default. 就像vartec上面说的那样，HTTP规范没有定义限制，但是默认情况下许多服务器都做了限制。 This means, practically speaking, the lower limit is 8K . 实际上，这意味着下限是8K 。 For most servers, this limit applies to the sum of the request line and ALL header fields (so keep your cookies short). 对于大多数服务器，此限制适用于请求行和ALL标头字段的总和 （因此，请确保您的Cookie简短）。

• Apache 2.0 , 2.2 : 8K 的Apache 2.0 ， 2.2 ：8K
• nginx : 4K - 8K nginx ： 4K -8K
• IIS: varies by version , 8K - 16K IIS： 不同版本 ， 8K -16K
• Tomcat: varies by version , 8K - 48K (?!) Tomcat： 因版本而异 ， 8K -48K（？！）

It's worth noting that nginx uses the system page size by default, which is 4K on most systems. 值得注意的是，nginx默认使用系统页面大小，在大多数系统上为4K。 You can check with this tiny program: 您可以使用以下小程序进行检查：

pagesize.c: pagesize.c：

#include <unistd.h>
#include <stdio.h>

int main() {
    int pageSize = getpagesize();
    printf("Page size on your system = %i bytes\n", pageSize);
    return 0;
}

Compile with gcc -o pagesize pagesize.c then run ./pagesize . 使用gcc -o pagesize pagesize.c进行编译，然后运行./pagesize 。 My ubuntu server from Linode dutifully informs me the answer is 4k. 我来自Linode的 ubuntu服务器忠实地告诉我答案是4k。