Reputation: 629
How to increase size limit for HTTP header value in request for Azure IIS?
Token is passed in Authorization header in GET request like this:
Authorization: Bearer <token here>
Using trial and error I figured out that header value limit must be around 2048, because requests with tokens smaller than that are passed to my ASP.NET app without any changes and requests with larger tokens have Authorization header removed triggering 401 in my app.
App is published to Azure. It doesn't seem to matter whether request is GET or POST.
Limit looks similar to querystring limit so I've increased the allowed query string and it didn't help.
IIS version: 8.0 (from response headers)
Upvotes: 3
Views: 16727
Answers (1)
Reputation: 8491
By default, the header length limit is 65536, which is set in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters registry. I tested it both on my local machine and Azure Web App. Here is the code I used to test with:
On server side I used
public class HomeController : Controller
{
public ActionResult Index()
{
return Content(Request.Headers["Authorization"]);
}
}
On client side, I used
static async void SendRequest()
{
HttpClient client = new HttpClient();
string token = "";
for (int i = 0; i < 2050; i++)
{
token = token + "0";
}
client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token);
HttpResponseMessage message = await client.GetAsync("http://xxx.azurewebsites.net/");
string content = await message.Content.ReadAsStringAsync();
Console.WriteLine(content);
}
I can get the Authorization parameter back.
Using trial and error I figured out that header value limit must be around 2048
Another place you might have a limit is the headerLimits config section. You can add length limits for specific headers in this config section.
If I add this configuration to web.config…
<system.webServer>
<security>
<requestFiltering>
<requestLimits>
<headerLimits >
<add header="Authorization" sizeLimit="2048" />
</headerLimits>
</requestLimits>
</requestFiltering>
</security>
</system.webServer>
…the request from my client was blocked and I got the following error:
If I increase the sizeLimit to meet the length of request Authorization header, for example 2058. The request will be executed OK.
So please check whether you have modified the headerLimits config section in your web.config file. If yes, it will block your request if the length of this header is larger than the limit value. To solve it, we can increase the value of sizeLimit to modify the limit of Authorization header.
Upvotes: 3
Related Questions
- Size of the request headers is too long
- How do I increase the size of HTTP request header in my Azure App Service (Linux)
- How to change the MaxRequestHeadersTotalSize in Azure Web App
- ASP.NET Core 2.2 Upgrade - IIS: limit request content length
- How to solve "Request Header Too Long" on an Azure Web App
- Increase Max Header Size for Owin Hosting
- Increase MaxFieldLength and MaxRequestBytes in web.config
- Web API maximum header value length?
- Maximum default POST request size of IIS 7 - how to increase 64kB/65kB limit?
- Increase Http Runtime MaxRequestLength from C# code