1. Overview

Spring Boot web applications include a pre-configured, embedded web server by default. In some situations, though, we'd like to modify the default configuration to meet custom requirements.

In this tutorial, we’ll see how to set and use the max-http-header-size property for request headers in the application.properties file in a Spring Boot 2.x application.

2. Max-HTTP-Header-Size

Spring Boot supports Tomcat, Undertow, and Jetty as embedded servers. In general, we write the server configurations inside the application.properties file or application.yaml file in a Spring Boot application.

Most web servers have their own set of size limits for HTTP request headers. The HTTP header values are restricted by server implementations. In a Spring Boot application, the max HTTP header size is configured using server.max-http-header-size.

The actual default value for Tomcat and Jetty is 8kB, and the default value for Undertow is 1MB.

To modify the max HTTP header size, we'll add the property to our application.properties file:

server.max-http-header-size=20000

Likewise for the application.yaml format:

server:
    max-http-header-size: 20000

From Spring Boot 2.1, we'll now use a DataSize parsable value:

server.max-http-header-size=10KB

3. Request Header Is Too Large

Suppose a request is sent where the total HTTP header size is larger than the max-http-header-size value. The server rejects the request with a “400 Bad request” error. We'll see this error in our log file in the next example.

Let's create a controller which has a header property called token:

@RestController
@RequestMapping(value = "/request-header-test")
public class MaxHttpHeaderSizeController {
    @GetMapping
    public boolean testMaxHTTPHeaderSize(@RequestHeader(value = "token") String token) {
	return true;
    }
}

Next, let's add some properties to our application.properties file:

## Server connections configuration
server.tomcat.threads.max=200
server.connection-timeout=5s
server.max-http-header-size=8KB
server.tomcat.max-swallow-size=2MB
server.tomcat.max-http-post-size=2MB

When we pass a String value that has a size greater than 8kb in the token, we'll get the 400 error as below:

400 for max-http-header-size

And in the log, we see the below error:

19:41:50.757 [http-nio-8080-exec-7] INFO  o.a.coyote.http11.Http11Processor - Error parsing HTTP request header
 Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Request header is too large
...

4. Solution

We can increase the value of the max-http-header-size property in our application.properties file as per our requirements.

In the above program, we can upgrade its value from the default 8kb to 40KB, which will resolve the problem.

server.max-http-header-size=40KB

Now, the server will process the request and send back a 200 response as below:

Max-HTTP-Header-Size

Hence, whenever the header size exceeds the default values listed by the server, we'll see the server returns a 400-Bad Request with an error “request header is too large”. We have to override the max-http-header-size value in the application configuration file to match the request header length, as we see in the above example.

In general, a request header might become too large when for example, the token used is very long due to encryption.

5. Conclusion

In this tutorial, we've learned how to use the max-http-header-size property in the application configuration files of our Spring Boot application.

Then, we saw what happens when we pass a request header exceeding this size and how to increase the size of max-http-header-size in our application.properties.

As always, the source code for these examples is available over on GitHub.

Generic bottom

Get started with Spring 5 and Spring Boot 2, through the Learn Spring course:

>> CHECK OUT THE COURSE
Generic footer banner
Comments are closed on this article!