Why need to set limit with http request header?
Everyone knows that the request header is limited( tomcat 8k...), but I can't find any information why it should be.
Is it related to buffer overflow attacks?
Thank you.
CodePudding user response:
HTTP doesn't impose limits.
However, if server doesn't impose limits it means that a client could (for example) make a HTTP requests with a header that's many gigabytes in size.
If the server did not set a limit, it would mean that the server has to wait until the client is done sending the header, and in the meanwhile the server has to collect this header in memory, perhaps even exceeding the total memory of the server.
If this were possible, clients could construct HTTP requests that crash servers. To prevent this, servers set limits.
CodePudding user response:
I think I found the answer to my curiosity in the apache security book.
Properly configured limits mitigate buffer overflow exploits, preventing Denial of Service (DoS) attacks.