CODEWITHSUNDEEP
httphttpsnettyoktaktor
Spo
Spo

Reputation: 21

KTOR + Netty - Configuring HTTPS Max Header List Size

My front-end application uses OKTA and passes the access token to my backend. The backend then parses the token information to get user information and check whether the token is expired. Unfortunately, this OKTA token sometimes becomes large enough to where sending it in the Authorization header along with whatever cookies are attached (none of which are associated to my app) would result in the following error on the backend:

Stream exception thrown for unknown stream 55. io.netty.handler.codec.http2.Http2Exception$HeaderListSizeException: Header size exceeded max allowed size (8192)

Unfortunately, removing this token from the header is not an option, so I've attempted to increase the max header size accepted by HTTPS requests (see snippet below).

When sending the request with the large token over HTTP, the backend accepts it without issue. However, when sending the same request over HTTPS, the backend produces the result above.

fun main() {
    embeddedServer(
        factory = Netty,
        configure = {
            configureBootstrap = {
                // Configure HTTP/1.1
                maxInitialLineLength = HttpObjectDecoder.DEFAULT_MAX_INITIAL_LINE_LENGTH
                maxHeaderSize = 16 * 1024 // 16KB
                maxChunkSize = HttpObjectDecoder.DEFAULT_MAX_CHUNK_SIZE

                // Configure HTTP/2
                val http2Settings = Http2Settings()
                http2Settings.maxHeaderListSize(16 * 1024) // 16KB
                val http2Codec = Http2FrameCodecBuilder.forServer()
                    .initialSettings(http2Settings)
                    .build()

                this.childHandler(object : ChannelInitializer<SocketChannel>() {
                    override fun initChannel(channel: SocketChannel) {
                        val pipeline: ChannelPipeline = channel.pipeline()
                        pipeline.addLast("http2Codec", http2Codec)
                    }
                })
            }
        }
        module = Application::module
    ).start(wait = true)
}

Why does this configuration not effect my request over HTTPS? According to the snippet above, I would expect to be able to send a request so long as the header is < 16KB in size.

Stack Information

Thanks in advance!

Upvotes: 2

Views: 51

Answers (0)

Related Questions