Is there a practical HTTP Header length limit?

Kevin Hakanson picture Kevin Hakanson · Jul 8, 2009 · Viewed 97.8k times · Source

I have a web application that adds contextual information to XmlHttpRequest objects using the setRequestHeader API. I am using a custom header name (e.g. X-Foo) and a JSON structured value. It isn't part of the URL QueryString or POST body because it is meta information about the request.

Is there a practical size limit to the header value? If my JSON gets truncated, it becomes unparseable. I am most concerned with limits in Apache 2, Tomcat 6 and IIS 7. I did a Google search for http header length limit, but many of the results seem dated. There are some relevant comments in How big can a user agent string get? but not as specific as I would like.

Edit: I just ran across this similar question - Maximum on http header values?

Answer

Gumbo picture Gumbo · May 28, 2011

Although each web server software has some limitations, there is a difference whether there’s a limit for the HTTP request line plus header fields or for each header field.

Here’s a summary:

  • Apache 1.3, 2.0, 2.2, 2.3: 8190 Bytes (for each header field)
  • IIS:
    • 4.0: 2097152 Bytes (for the request line plus header fields)
    • 5.0: 131072 Bytes, 16384 Bytes with Windows 2000 Service Pack 4 (for the request line plus header fields)
    • 6.0: 16384 Bytes (for each header fields)
  • Tomcat:
    • 5.5.x/6.0.x: 49152 Bytes (for the request line plus header fields)
    • 7.0.x: 8190 Bytes (for the request line plus header fields)

So to conclude: To be accepted by all web servers above, a request’s request line plus header fields should not exceed 8190 Bytes. This is also the limit for each header fields (effectively even less).