This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Hosted Targets - limitations with HTTP header size

on ‎12-05-2018 03:48 PM

markeccles-1
Staff
2 6 1,302

Dear community.

The NodeJS team recently pushed some updates to their latest stable release.

https://nodejs.org/en/blog/release/v8.14.0/

The notable change is that they have added a limitation on the total size of the HTTP request headers that can be sent to a NodeJS app to 8192 Bytes or roughly the same number of characters including header names, header values, and any carriage returns. This was done in order to mitigate Denial of Service attacks.

Since Apigee Edge allows 16KB in the headers, it is possible that Apigee will accept a request but then HT will reject it with a HTTP 413 or in some circumstances a 5xx.

The best practice we recommend is to limit the headers that get sent to the backend by using an Assign Message policy to remove any headers that are not relevant to the backend. If you are sending a lot of headers containing meaningful data, consider moving this to the request body.

https://docs.apigee.com/api-platform/reference/policies/assign-message-policy#removeelement-removehe...

Regards, Mark

Topic Labels
Comments
dchiesa1
Staff
‎12-05-2018 04:15 PM

Thanks for the tip, Mark. One situation that might trip this problem is if an interface called for sending an entire JWT in headers - those can get pretty large, quickly.

markeccles-1
Staff
‎12-05-2018 08:26 PM

We also need to watch out for enablement of PropagateTLSInformation/ClientProperties set on virtualhosts that require client authentication.

See https://docs.apigee.com/api-platform/system-administration/tls-vars#setting-header-size-limits

The raw client certificate will be appended to one of the headers in the request. It can be quite large in some circumstances such as long DNs or many SANs. It can easily be over 8KB.

bowenjosh
Staff
‎12-05-2018 08:38 PM

This is also being added to the hosted targets faq. The workaround is to set the node version used in your hosted target to a version prior to 11.3.0, 10.4.0, 8.14.0 or 6.14.0. The node team is working to make this limit configurable and we will send an update when that work is completed.

markeccles-1
Staff
‎12-10-2018 07:57 PM

We've seen this with custom backends too.

Whether your backend is Nginx, F5, Tomcat, Jboss, etc etc please be mindful of the default limits.

knarasi3
New Member
‎12-03-2019 11:27 PM

Hi team,

Any update on size limit?

Has it been increased?

Regards,

Kiran

jcwhitlock
Staff
‎12-04-2019 09:08 AM

HT has been updated to have the same header size limit that Edge has.

Version history
Last update:
‎12-05-2018 03:48 PM
Updated by: