431 Request Header Fields Too Large

HTTP 431 status code indicates that a server refuses to process a request because HTTP headers are too big.

While the HTTP spec doesn’t impose any limits on the size of headers, most web servers do. Servers can use this status code when the single header field or the total size of all headers exceeds the limit.

More often than not, the culprit is a cookie-related header (Set-Cookie or Cookie). It’s worth checking the Referer and User-Agent headers as well as they can be easily spoofed.

HTTP/2

According to the HTTP/2 specification, the cookie header may be split into multiple header fields for better compression efficiency (HPACK). That might cause a problem when there are too many cookie-related header fields.

While you can configure some web servers to accommodate larger cookies, keep in mind that this might open an avenue for a denial of service (DoS) attack.

Make sure to clear cookies from your browser before tweaking the configuration parameters.

Nginx

Instead of returning the 431 status code when the cookie or header size is too large, Nginx responds with the 400 Bad Request Request Header Or Cookie Too Large. To accommodate larger cookies or headers, keep increasing the client_header_buffer_size directive until you get a 200 OK response:

client_header_buffer_size 128k;

If you’re using the HTTP/2 module for nginx, you can configure the http2_max_header_size to control the allowed size of all headers. The default is 16K, which means all headers can occupy no more than 16 kilobytes of space after the decompression.

Also, consider increasing the limit for the maximum size of a request header field (HPACK-compressed). The default is 4k, which means a request header’s name or value can’t exceed 4 kilobytes.

http2_max_header_size 32k;
http2_max_field_size 8k;

Nginx will disconnect the HTTP/2 session upon encountering large headers or request line instead of returning 431 or 414 status codes.

Node.js

Starting from versions 10.15.0 and 11.6.0, you can pass the --max-http-header-size flag to control the maximum header size.

node --max-http-header-size=16384 index.js

The default was reduced from about 80 kilobytes to 8 kilobytes (8192 bytes) to prevent a denial of service attack with large HTTP headers (CVE-2018-12121).

Interested in no-nonsense technical guides?

No spyware, no promotional emails, or keyword-stuffed junk. I will only send you a single email when I've got something interesting to say. Unsubscribe anytime.

You can also subscribe to the Atom feed (it's like RSS, but better).