Reputation: 11
What is causing 'size of a request header field exceeds limit' 400 bad request errors?
I have discovered some visitors to my websites are receiving '400 bad request' error messages. I haven't been able to replicate the problem, which is making it extremely difficult to fix.
From inspecting the server logs it seems some users are arriving at the site, loading a page and perhaps a few others, but then receiving 400 bad request errors.
I haven't been able to spot a pattern in the errors yet. They do not seem to be specific to any device, browser or time of day. The 400 errors occur on pages as well as image files.
The site I am running is based on WordPress. I have tried deactivating all plugins and switching to a different theme, but I can see from the server logs that the errors continued during this period.
I managed to contact several users who have the problem. They said the error message they received was the following:
"Your browser sent a request that this server could not understand. Size of a request header field exceeds limit."
We've increased the sizes of large_client_header_buffers and LimitRequestFieldSize but again this has had no effect.
It appears that if the users who have the problem clear their cookies the problem goes away. But what I need is a solution I can implement on the site which solves it for all users. Can anyone suggest what I should do please, or at least point me in the direction of any useful information which might help me get to the bottom of it?
Upvotes: 1
Views: 5687
Answers (2)
Reputation: 894
Cookies can pile up really quickly, especially if they’re encrypted (like with e.g. by default with Laravel), even x3+ the payload size. If you increase LimitRequestFieldSize in your virtual host config for the site, that might still be being overridden by Apache’s hard-coded default (usually 8KB / 8192 bytes), unless you explicitly also changed it in:
- CentOS/RHEL/Fedora/AlmaLinux /etc/httpd/conf/httpd.conf or /etc/httpd/conf.d/*.conf
- Ubuntu/Debian /etc/apache2/apache2.conf or /etc/apache2/conf-available/*.conf
Nginx check large_client_header_buffers and IIS see MaxRequestBytes.
I hope this helps someone, cost me a few hours.
Upvotes: 0
Reputation: 306
I was getting the same error when i was hitting webhooks (Lago webhook api to be specific).
I solved the above by using HMAC signature instead JWT signature for webhooks
( In JWT signature, Size limitation issues may arise due to the header payload. In HMAC signature, No size limitation issues as the header payload is shorter )
Upvotes: 0
Related Questions
- 400 BAD request HTTP error code meaning?
- HTTP 400 'Request Header too long' error when accessing ASP.NEt application
- Keycloak JavaScript Adapter receives 400 Bad Request in Internet Explorer
- C# -HttpWebRequest returns 400 Bad request when connecting to Report Server programmatically
- Investigating 400\Bad Request Error returned by IBM HTTP server
- Bad request 400 when debug = False
- AngularJS REST Example DELETE method Bad Request 400
- Mercurial keeps returning Error 400: Bad Request