client should not send longer request headers than server can accept #1867
Comments
tghosth
added
1) Discussion ongoing
|
This is input validation or sanitization of content going into an HTTP request, it is basically an expansion of #1739 (comment) where instead of a cookie we are talking about any header entry, correct? |
yes, the same problem is for every HTTP request header (field) which contains user-controlled input |
|
Please note this is more of a Webserver issue than an application issue. For example, Apache has a default 8k limit for the total size of the request header. NGINX is 4K.
|
|
Statement in the issue:
Comment from @jmanico
So, yes it is a webserver configuration question, but at the same time, the application needs to take this limit into account, and do not build longer values than it (a web server) can handle. |
|
Ok can you prepare a requirement text for this @elarlang ? |
|
Not ready yet to propose requirement text, just pieces to take into account:
|
spin-off from #1739 (comment)
Problem to solve: if a user controls input that is sent to the server via request header (token) value, it must be validated or sanitized to not be longer than the "max header field size" allowed by server configuration, usually it is 8kB.
Classical functionality: cookies, authorization headers (including access_token JWT's)
If an attacker controls the value and can set it to the client browser, this client will have error 413 or 400 as a response for each request and can not use the service.
The text was updated successfully, but these errors were encountered: