CODEWITHSUNDEEP
asp.netwindowshttpowinhttp.sys
Durga Prasad
Durga Prasad

Reputation: 989

Can we increase http header size beyond 64kb in Windows

I have a situation where the HTTP Authorization request header size is more than 64kb (approximately 90kb) for a particular user. The reason for large size is because the header contains a bearer token, and the user who has initiated the http request has lot of claims.

The problem is for this particular user the web server always returns an error stating:

"HTTP Error 400. The size of the request headers is too long".

The web application is self hosted in a console application using Microsoft owin, so IIS is not involved.

While looking into the issue, I came across the http.sys parameters with this table: (excerpted)

Registry key Default Valid value range Registry key function
MaxFieldLength 16384 64 - 65534
(64k - 2) bytes		 Sets an upper limit for each header. See MaxRequestBytes. This limit translates to approximately 32k characters for a URL.
MaxRequestBytes 16384 256 - 16777216
(16 MB) bytes		 Determines the upper limit for the total size of the Request line and the headers.
Its default setting is 16 KB. If this value is lower than MaxFieldLength, the MaxFieldLength value is adjusted.

It denotes the maximum value for MaxFieldLength is 64kb which denotes the maximum header length handled by http.sys, and my server is set to the maximum value i.e. 65,536.

I tried increasing the value further to 131,072 out of curiosity, but as expected it did not solve the issue.

So is there any other way to increase the header maximum length?

Upvotes: 1

Views: 7148

Answers (2)

Durga Prasad
Durga Prasad

Reputation: 989

After realizing that there is no possible solution from http.sys server on increasing the size limit beyond the stated maximum, the following solution has been implemented to overcome the problem in hand.

Disclaimer: It is more of a workaround than a proper solution.

Create a new version (v2, because these are breaking changes) of existing controllers with following changes:

  • Convert every GET request into a POST request and pass any applicable query parameters as key value pairs in request body.
  • Add an additional key "access_token" in each request body with value of bearer token for handling authorization. Ignored for unprotected end points.
  • Update documentation and inform all the end users about the changes done with lucid examples.
  • Decorate old version with "Deprecated" tag.

Upvotes: 0

Antonin GAVREL
Antonin GAVREL

Reputation: 11249

I encountered this and solved it by just increasing the limits set in registry. (open command and type regedit).

You were right to modify MaxFieldLength, however, you also have to modify MaxRequestBytes as it is stated in the documentation:

Workaround 2: Set MaxFieldLength and MaxRequestBytes registry entries:

By default, there is no MaxFieldLength registry entry. This entry specifies the maximum size limit of each HTTP request header. The MaxRequestBytes registry entry specifies the upper limit for the total size of the Request line and the headers. Typically, this registry entry is configured together with the MaxRequestBytes registry entry.

If the MaxRequestBytes value is lower than the MaxFieldLength value, the MaxFieldLength value is adjusted. In large Active Directory environments, users may experience logon failures if the values for both these entries aren't set to a sufficiently high value.

You will have to add/modify these entries in:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters

For IIS 6.0 and later, the MaxFieldLength and MaxRequestBytes registry keys are located at the following sub key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters

Upvotes: 1

Related Questions