683

Is it browser dependent? Also, do different web stacks have different limits on how much data they can get from the request?

mavis
  • 3,100
  • 3
  • 24
  • 32
Brian Sullivan
  • 27,513
  • 23
  • 77
  • 91
  • you can also check this http://stackoverflow.com/questions/417142/what-is-the-maximum-length-of-an-url – Xinus Dec 13 '09 at 04:41
  • It is only for GET requests! The maximal size of the POST requests (with or without multipart/form-data) is here unknown! – peterh Jan 22 '15 at 13:54

3 Answers3

1150

RFC 2616 (Hypertext Transfer Protocol — HTTP/1.1) states there is no limit to the length of a query string (section 3.2.1). RFC 3986 (Uniform Resource Identifier — URI) also states there is no limit, but indicates the hostname is limited to 255 characters because of DNS limitations (section 2.3.3).

While the specifications do not specify any maximum length, practical limits are imposed by web browser and server software. Based on research which is unfortunately no longer available on its original site (it leads to a shady seeming loan site) but which can still be found at Internet Archive Of Boutell.com:

  • Microsoft Edge (Browser)
    The limit appears to be around 81578 characters. See URL Length limitation of Microsoft Edge

  • Chrome
    It stops displaying the URL after 64k characters, but can serve more than 100k characters. No further testing was done beyond that.

  • Firefox (Browser)
    After 65,536 characters, the location bar no longer displays the URL in Windows Firefox 1.5.x. However, longer URLs will work. No further testing was done after 100,000 characters.

  • Safari (Browser)
    At least 80,000 characters will work. Testing was not tried beyond that.

  • Opera (Browser)
    At least 190,000 characters will work. Stopped testing after 190,000 characters. Opera 9 for Windows continued to display a fully editable, copyable and pasteable URL in the location bar even at 190,000 characters.

  • Microsoft Internet Explorer (Browser)
    Microsoft states that the maximum length of a URL in Internet Explorer is 2,083 characters, with no more than 2,048 characters in the path portion of the URL. Attempts to use URLs longer than this produced a clear error message in Internet Explorer.

  • Apache (Server)
    Early attempts to measure the maximum URL length in web browsers bumped into a server URL length limit of approximately 4,000 characters, after which Apache produces a "413 Entity Too Large" error. The current up to date Apache build found in Red Hat Enterprise Linux 4 was used. The official Apache documentation only mentions an 8,192-byte limit on an individual field in a request.

  • Microsoft Internet Information Server (Server)
    The default limit is 16,384 characters (yes, Microsoft's web server accepts longer URLs than Microsoft's web browser). This is configurable.

  • Perl HTTP::Daemon (Server)
    Up to 8,000 bytes will work. Those constructing web application servers with Perl's HTTP::Daemon module will encounter a 16,384 byte limit on the combined size of all HTTP request headers. This does not include POST-method form data, file uploads, etc., but it does include the URL. In practice this resulted in a 413 error when a URL was significantly longer than 8,000 characters. This limitation can be easily removed. Look for all occurrences of 16x1024 in Daemon.pm and replace them with a larger value. Of course, this does increase your exposure to denial of service attacks.

Community
  • 1
  • 1
Robert Cartaino
  • 27,494
  • 6
  • 45
  • 67
  • 10
    Why don't you say the version number also instead of "Microsoft Internet Explorer (Browser)"? – LCJ May 28 '14 at 14:08
  • 7
    It appears that the default IIS limit on the Query String is significantly less than 16,384 characters - quoted as 2048 here: https://www.iis.net/configreference/system.webserver/security/requestfiltering/requestlimits – JTech Jan 27 '16 at 00:50
  • https://stackoverflow.com/questions/417142/what-is-the-maximum-length-of-a-url-in-different-browsers?noredirect=1&lq=1 – Sampisa Mar 08 '18 at 09:15
  • 1
    I think you made a type and the DNS limitations are discussed in section "3.2.2. Host" of RFC3986, not 2.2.3. "URI producers should use names that conform to the DNS syntax, even when use of DNS is not immediately apparent, and should limit these names to no more than 255 characters in length." – Craig Hicks Feb 19 '19 at 18:57
  • Causes `java.lang.IllegalArgumentException: Request header is too large` on tomcat spring boot application server. – Paramvir Singh Karwal Jul 12 '19 at 14:30
  • In addition to the incorrect section, RFC 2616 is obsoleted by 7230. Of course, SO edit queue is full at the moment. – Paul Jan 08 '22 at 23:40
52

Recommended Security and Performance Max: 2048 CHARACTERS

Although officially there is no limit specified by RFC 2616, many security protocols and recommendations state that maxQueryStrings on a server should be set to a maximum character limit of 1024. While the entire URL, including the querystring, should be set to a max of 2048 characters. This is to prevent the Slow HTTP Request DDOS/DOS attack vulnerability on a web server. This typically shows up as a vulnerability on the Qualys Web Application Scanner and other security scanners.

Please see the below example code for Windows IIS Servers with Web.config:

<system.webServer>
<security>
    <requestFiltering>
        <requestLimits maxQueryString="1024" maxUrl="2048">
           <headerLimits>
              <add header="Content-type" sizeLimit="100" />
           </headerLimits>
        </requestLimits>
     </requestFiltering>
</security>
</system.webServer>

This would also work on a server level using machine.config.

This is just for windows operating system based servers, I'm not sure if there is a similar issue on apache or other servers.

Note: Limiting query string and URL length may not completely prevent Slow HTTP Requests DDOS attack but it is one step you can take to prevent it.

Adding a reference as requested in the comments: https://www.raiseupwa.com/writing-tips/what-is-the-limit-of-query-string-in-asp-net/

TroySteven
  • 4,885
  • 4
  • 32
  • 50
  • 8
    And now I have a reason I can tell the backend engineers that we won't accept a list of one hundred 36 character UUIDs in the queryParams of a GET request. Thanks! – Mordred Jan 15 '20 at 22:37
  • 1
    @Mordred, what is this API for - that takes in 100 UUIDs in query params? Is it a kind of Filtering UI? – Maulik Modi Apr 19 '21 at 14:10
  • 2
    @MaulikModi Yes. It was essentially a "simple" backend query of `/get/records-by-id?ids=10000000001,1000000002,....` but the IDs were UUIDs of course. – Mordred Apr 23 '21 at 01:43
  • 3
    @Morderd - Best solution I guess is to limit the UUIDs in the request. I think that putting the UUIDs in the query, while ugly, is the best practice. Some database engines such as ElasticSearch put the UUIDs in the body of a GET request, but that is not standardized, and some web frameworks ignore the body on a GET. I also commonly see APIs use a POST request instead to send the UUIDs, which has other downsides - GET is fundamentally different from POST - so you end up breaking some of the functionality, such as caching, that was designed for GET requests. – tim-montague Apr 23 '21 at 19:34
  • 1
    Is there any way to get references to some example security recommendations regarding this? – Jitsusama Aug 05 '21 at 14:30
  • 1
    @tim-montague by now at least LiteSpeed webserver also supports POST response caching as mentioned in https://blog.litespeedtech.com/2021/03/01/post-response-caching/ – Christian Rauchenwald Oct 29 '21 at 09:46
1

Different web stacks do support different lengths of http-requests. I know from experience that the early stacks of Safari only supported 4000 characters and thus had difficulty handling ASP.net pages because of the USER-STATE. This is even for POST, so you would have to check the browser and see what the stack limit is. I think that you may reach a limit even on newer browsers. I cannot remember but one of them (IE6, I think) had a limit of 16-bit limit, 32,768 or something.

kdevine
  • 83
  • 1
  • 8