431 Request Header Fields Too Large

HTTP 431 status code indicates that a server refuses to process a request because HTTP headers are too big.

While the HTTP spec doesn’t impose any limits on the size of headers, most web servers do. Servers can use this status code when the single header field or the total size of all headers exceeds the limit.

More often than not, the culprit is a cookie-related header (Set-Cookie or Cookie). It is worth checking the Referer header as well as it can be easily spoofed.

HTTP/2

According to the HTTP/2 specification, the cookie header may be split into multiple header fields for better compression (HPACK) efficiency. That might cause a problem when there are too many cookie-related header fields.

While you can configure some web servers to accommodate larger cookies, keep in mind that this might open an avenue for a denial of service attack.

Make sure to clear cookies from your browser before tweaking the configuration parameters.

Nginx

If you’re using the HTTP/2 module for nginx, you can configure the http2_max_header_size to control the allowed size of all headers. The default is 16K, which means all headers can occupy no more than 16 kilobytes of space after the decompression.

http2_max_header_size 32k;

If the above config doesn’t address your problem, you might want to increase the limit for the maximum size of a request header field (HPACK-compressed). The default is 4k, which means a request header’s name or value can’t exceed 4 kilobytes.

http2_max_field_size 8k;

Instead of returning the 431 status code when the header is large, nginx will close the connection (by sending a GOAWAY frame).

Node.js

Starting from versions 10.15.0 and 11.6.0, you can pass the --max-http-header-size flag to control the maximum header size.

node --max-http-header-size=16384 index.js

The default was reduced from about 80 kilobytes to 8 kilobytes (8192 bytes) to prevent a denial of service attack with large HTTP headers (CVE-2018-12121).