What is the limit on QueryString / GET / URL parameters

Question

possible duplicate of [What is the maximum possible length of a query string?](http://stackoverflow.com/questions/812925/what-is-the-maximum-possible-length-of-a-query-string) — isaacbernat, May 21 '15 at 15:24

score 72 · Accepted Answer · edited Oct 07 '21 at 05:46

72

There is no limit in theory. For HTTP URLs, the HTTP 1.1 specification states:

The HTTP protocol does not place any a priori limit on the length of a URI. Servers MUST be able to handle the URI of any resource they serve, and SHOULD be able to handle URIs of unbounded length if they provide GET-based forms that could generate such URIs. A server SHOULD return 414 (Request-URI Too Long) status if a URI is longer than the server can handle (see section 10.4.15).

But in practice, many clients and servers do only support URLs up to a certain length. The rule of thumb is not to use URLs longer than 2000 characters (percent encoding already taken into account).

edited Oct 07 '21 at 05:46

Community

1
1

answered Jun 22 '10 at 08:40

Gumbo

643,351
109
780
844

Do you know a list of major (often used) components that have this limit? – Thomas Weller Dec 04 '14 at 11:59
@Thomas No, unfortunately not. – Gumbo Dec 04 '14 at 12:18
The linked article is a great (although dated) overview of how different browsers/sytems handle this. – E. Villiger Mar 01 '19 at 12:05
The linked article is linking to a loans website and is completely irrelevant Edit: appears the domain was bought / taken over late last year – roborourke Mar 05 '20 at 11:23
Updated the link to the web archive version – roborourke Mar 05 '20 at 11:30

score 5 · Answer 2 · answered Jun 22 '10 at 08:39

There is no defined limit. However, RFC 2068 states:

The HTTP protocol does not place any a priori limit on the length of a URI. Servers MUST be able to handle the URI of any resource they serve, and SHOULD be able to handle URIs of unbounded length if they provide GET-based forms that could generate such URIs. A server SHOULD return 414 (Request-URI Too Long) status if a URI is longer than the server can handle (see section 10.4.15). Note: Servers should be cautious about depending on URI lengths above 255 bytes, because some older client or proxy implementations may not properly support these lengths.

TroySteven · Answer 3 · 2020-01-15T22:57:00.190

Although officially there is no limit specified by RFC 2616, many security protocols and recommendations state that maxQueryStrings on a server should be set to a maximum character limit of 1024. While the entire URL, including the querystring, should be set to a max of 2048 characters. This is to prevent the Slow HTTP Request DDOS vulnerability on a web server. This typically shows up as a vulnerability on the Qualys Web Application Scanner and other security scanners.

Please see the below exampple code for Windows IIS Servers with Web.config:

This would also work on a server level using machine.config.

Note: Limiting query string and URL length may not completely prevent Slow HTTP Requests DDOS attack but it is one step you can take to prevent it.

What is the limit on QueryString / GET / URL parameters

3 Answers3

Linked