-
Notifications
You must be signed in to change notification settings - Fork 30.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When http header size limit is reached, instead of a generic 400 response, return 431 Request Header Fields Too Large #25528
Comments
Including the actual size limit might leak mildly sensitive information. I say "mildly" because you can binary-search it with multiple requests but why make life easier for an attacker? |
Since I posted this issue, I discovered there is a HTTP error code for this exact case, This would also be really valuable in CDN/logging reporting tools as we can pinpoint exactly how many clients are getting bloated cookies and triggering 431's. |
Furthermore 431 exists in Node's |
Also seems the default 400 behaviour is documented in the Event: 'clientError' documentation.
The following code would cause a server to behave how I wanted, using the HPE_HEADER_OVERFLOW error code.
Is it intentional the consumer has to handle this mapping themselves? Seems a sensible default but I understand if this is a design principle of Node. |
431 sounds pretty reasonable to me, @nodejs/http @mcollina, would you agree? |
I’m OK in using a 431, it seems a good idea! I think we might not want to change the default, and change this in a semver-major PR. Would you like to open one? |
I'd love to give the PR a crack, I'm reading the contributing guide now and should have a PR within 24 hours, I've located the code responsible for the 400. |
Here is the PR @sam-github @mcollina #25605 |
Instead of returning a generic 400 response when the max header size is reached, return a 431 Request Header Fields Too Large. This is a semver-major because it changes the HTTP status code for requests that trigger the header overflow error. PR-URL: nodejs#25605 Fixes: nodejs#25528 Refs: https://tools.ietf.org/html/rfc6585#section-5
We overlooked a Node security release in November 2018 that downsized the max http header size limit to 8192 bytes.
After a Node bump we occasionally saw 400s in production due to large cookies but the response contained no body or interesting headers, all we got is a generic 400 http error code. Is there a good reason for this?
We solved the problem eventually but it would of been nice if the HTTP response body gave text explanation of the error. For example
Max HTTP header size of ${maxHttpHeaderSize} reached
.Thanks.
The text was updated successfully, but these errors were encountered: