Max-Http-Request-Header-Size in Spring Boot

Azure Spring Apps is a fully managed service from Microsoft (built in collaboration with VMware), focused on building and deploying Spring Boot applications on Azure Cloud without worrying about Kubernetes.

And, the Enterprise plan comes with some interesting features, such as commercial Spring runtime support, a 99.95% SLA and some deep discounts (up to 47%) when you are ready for production.

>> Learn more and deploy your first Spring Boot app to Azure.

You can also ask questions and leave feedback on the Azure Spring Apps GitHub page.

Slow MySQL query performance is all too common. Of course it is. A good way to go is, naturally, a dedicated profiler that actually understands the ins and outs of MySQL.

The Jet Profiler was built for MySQL only, so it can do things like real-time query performance, focus on most used tables or most frequent queries, quickly identify performance issues and basically help you optimize your queries.

Critically, it has very minimal impact on your server's performance, with most of the profiling work done separately - so it needs no server changes, agents or separate services.

Basically, you install the desktop application, connect to your MySQL server, hit the record button, and you'll have results within minutes:

>> Try out the Profiler

Accelerate Your Jakarta EE Development with Payara Server!

With best-in-class guides and documentation, Payara essentially simplifies deployment to diverse infrastructures.

Beyond that, it provides intelligent insights and actions to optimize Jakarta EE applications.

The goal is to apply an opinionated approach to get to what's essential for mission-critical applications - really solid scalability, availability, security, and long-term support:

>> Download and Explore the Guide (to learn more)

The AI Assistant to boost Boost your productivity writing unit tests - Machinet AI.

AI is all the rage these days, but for very good reason. The highly practical coding companion, you'll get the power of AI-assisted coding and automated unit test generation.
Machinet's Unit Test AI Agent utilizes your own project context to create meaningful unit tests that intelligently aligns with the behavior of the code.
And, the AI Chat crafts code and fixes errors with ease, like a helpful sidekick.

Simplify Your Coding Journey with Machinet AI:

>> Install Machinet AI in your IntelliJ

Looking for the ideal Linux distro for running modern Spring apps in the cloud?

Meet Alpaquita Linux: lightweight, secure, and powerful enough to handle heavy workloads.

This distro is specifically designed for running Java apps. It builds upon Alpine and features significant enhancements to excel in high-density container environments while meeting enterprise-grade security standards.

Specifically, the container image size is ~30% smaller than standard options, and it consumes up to 30% less RAM:

>> Try Alpaquita Containers now.

DbSchema is a super-flexible database designer, which can take you from designing the DB with your team all the way to safely deploying the schema.

The way it does all of that is by using a design model, a database-independent image of the schema, which can be shared in a team using GIT and compared or deployed on to any database.

And, of course, it can be heavily visual, allowing you to interact with the database using diagrams, visually compose queries, explore the data, generate random data, import data or build HTML5 database reports.

>> Take a look at DBSchema

Slow MySQL query performance is all too common. Of course it is. A good way to go is, naturally, a dedicated profiler that actually understands the ins and outs of MySQL.

Critically, it has very minimal impact on your server's performance, with most of the profiling work done separately - so it needs no server changes, agents or separate services.

Basically, you install the desktop application, connect to your MySQL server, hit the record button, and you'll have results within minutes:

>> Try out the Profiler

1. Overview

Spring Boot web applications include a pre-configured, embedded web server by default. In some situations, though, we’d like to modify the default configuration to meet custom requirements.

In this tutorial, we’ll see how to set up and use the server.max-http-request-header-size property for request headers in the application.properties file in a Spring Boot application.

2. server.max-http-request-header-size

Spring Boot supports Tomcat, Undertow, Netty, and Jetty as embedded servers. In general, we write the server configurations inside the application.properties file or application.yaml file in a Spring Boot application.

Before Spring Boot 3, we can set the default header by defining server.max-http-header-size in the properties file. However, this property behaves differently on the embedded server. When used with Tomcat, it configures both the maximum HTTP request and response header sizes. On the other hand, it configures only the maximum HTTP request header size when the embedded server is Undertwow, Netty, or Jetty.

Spring Boot 3.0 addresses these differences by deprecating server.max-http-header-size and replace with server.max-http-request-header-size. The properties now apply to request header size for the embedded server.

Furthermore, we can configure the maximum response header by implementing the WebServerFactoryCustomizer interface. Notably, this property is supported only by Tomcat and Jetty.

Most web servers have their own set of size limits for HTTP request headers. The HTTP header values are restricted by server implementations.

The actual default value for Tomcat and Jetty is 8kB, and the default value for Undertow is 1MB.

To modify the max HTTP header size, we’ll add the property to our application.properties file:

server.max-http-request-header-size=20000

Likewise for the application.yaml format:

server:
    max-http-request-header-size: 20000

From Spring Boot 2.1, we’ll now use a DataSize parsable value:

server.max-http-request-header-size=10KB

3. Request Header Is Too Large

Suppose a request is sent where the total HTTP header size is larger than the max-http-header-size value. The server rejects the request with a “400 Bad request” error. We’ll see this error in our log file in the next example.

Let’s create a controller which has a header property called token:

@RestController
@RequestMapping(value = "/request-header-test")
public class MaxHttpHeaderSizeController {
    @GetMapping
    public boolean testMaxHTTPHeaderSize(@RequestHeader(value = "token") String token) {
	return true;
    }
}

Next, let’s add some properties to our application.properties file:

## Server connections configuration
server.tomcat.threads.max=200
server.connection-timeout=5s
server.max-http-request-header-size=8KB
server.tomcat.max-swallow-size=2MB
server.tomcat.max-http-post-size=2MB

When we pass a String value that has a size greater than 8kb in the token, we’ll get the 400 error as below:

And in the log, we see the below error:

19:41:50.757 [http-nio-8080-exec-7] INFO  o.a.coyote.http11.Http11Processor - Error parsing HTTP request header
 Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Request header is too large
...

4. Solution

We can increase the value of the max-http-request-header-size property in our application.properties file as per our requirements.

In the above program, we can upgrade its value from the default 8kb to 40KB, which will resolve the problem.

server.max-http-request-header-size=40KB

Now, the server will process the request and send back a 200 response as below:

Hence, whenever the header size exceeds the default values listed by the server, we’ll see the server returns a 400-Bad Request with an error “request header is too large”. We have to override the max-http-request-header-size value in the application configuration file to match the request header length, as we see in the above example.

In general, a request header might become too large when for example, the token used is very long due to encryption.

5. Conclusion

In this tutorial, we’ve learned how to use the max-http-request-header-size property in the application configuration files of our Spring Boot application.

Then, we saw what happens when we pass a request header exceeding this size and how to increase the size of max-http-request-header-size in our application.properties.

As always, the source code for these examples is available over on GitHub.

Max-Http-Request-Header-Size in Spring Boot

Get started with Spring and Spring Boot, through the Learn Spring course:

1. Overview

2. server.max-http-request-header-size

3. Request Header Is Too Large

4. Solution

5. Conclusion

Get started with Spring and Spring Boot, through the Learn Spring course:

REST with Spring

Learn Spring Security ▼▲

Learn Spring Security Core

Learn Spring Security OAuth

Learn Spring

Learn Spring Data JPA

Persistence

REST

Security

Full Archive

Baeldung Ebooks

About Baeldung

Write for Baeldung

Get started with Spring and Spring Boot, through the Learn Spring course:

1. Overview

2. server.max-http-request-header-size

3. Request Header Is Too Large

4. Solution

5. Conclusion

Get started with Spring and Spring Boot, through the Learn Spring course: