Can HTTP headers be too big for browsers?

Question

I am building an AJAX application that uses both HTTP Content and HTTP Header to send and receive data. Is there a point where the data received from the HTTP Header won't be read by the browser because it is too big ? If yes, what is the limit and is it the same behaviour in all the browser ?

I know that theoretically there is no limit to the size of HTTP headers, but in practice what is the point that past that, I could have problem under certain platform, browsers or with certain software installed on the client computer or machine. I am more looking into a guide-line for safe practice of using HTTP headers. In other word, up to what extend can HTTP headers be used for transmitting additional data without having potential problem coming into the line ?

Thanks, for all the input about this question, it was very appreciated and interesting. Thomas answer got the bounty, but Jon Hanna's answer brought up a very good point about the proxy.

What kind of data are you transmitting through the headers? If you're using AJAX, why not use JSON or XML instead of putting things in the headers? — clinton3141, Jul 24 '10 at 18:01
Has stated in the question, I am already using the content of the result for data. The data passed in the header is extra data. For the data sended, it's JSON encoded data. — HoLyVieR, Jul 24 '10 at 18:02
duplicate of http://stackoverflow.com/questions/1097651/is-there-a-practical-http-header-length-limit — ankitjaininfo, Jul 24 '10 at 18:06
As stated in the response of the only answer, I am looking about what browsers will accept, not SERVERS. It is not what I am looking for. — HoLyVieR, Jul 24 '10 at 18:09
Indeed, this is about User-Agent limitations, not server ones. If my experience is anything to go by, chances are those can be a lot lower. Voted to reopen. — Wrikken, Jul 24 '10 at 18:15
there are just so many red flags here that I am just going to hold up a 'there be dragons' sign and continue what i was doing. — Sky Sanders, Jul 24 '10 at 18:45
@code poet Does that mean I have to take the question to meta to have it re-open or I just have to wait till an other moderator comes by ? — HoLyVieR, Jul 24 '10 at 19:02
i am not talking about the state of the post but the content of the question. that you are exploring the limits of bandwidth available to you in http headers tells me that you are going to spend a lot of time finding out how bad of an idea that is. thats all. but good luck, this is how we learn lessons that we never forget. cheers. — Sky Sanders, Jul 24 '10 at 19:06
Question is now re-opened, thanks to everyone who voted to re-open. I just hope, I will get answers now :/ — HoLyVieR, Jul 24 '10 at 20:28
Have you had any indication of problems with this? How about trying huge headers (.5, 1, 2, 4 MB) headers and seeing if it works? — JAL, Jul 24 '10 at 21:34
@Alex JL Well the problem with just testing is that it might be ok to send 4MB header on some browsers, but on other it might not be ok. The result could also change from a platform to an other. I don't want to base myself on result of few browser and expect the same result will happen in all others. — HoLyVieR, Jul 24 '10 at 21:38
You also need to be concerned about how firewalls and other network infrastructure will react to long headers — John Saunders, Jul 24 '10 at 22:41
@HoLyVieR that's right, when I test something I try it in Safari, Chrome, Firefox, and IE 6, 7 and 8. Ideally, you should have all of these browsers available. — JAL, Jul 25 '10 at 00:27
Regarding your statement "Has stated in the question, I am already using the content of the result for data. The data passed in the header is extra data." Why can the data that you are transmitting not go where it is supposed to (in the body?) What extra headers are you adding? — Hut8, Aug 02 '10 at 15:51
@bowenl2 To be exact what I am building is a SOAP like system in PHP where the response data is the result of that request. Additionally, there can be extra data that aren't a "result". These data are used as indication for other module. For example, I have a module for modification in the HTML. A response can contain both response data and HTML modification. I don't want to have both data to be mixed, because if I want to use the request from a windows application, HTML modification shouldn't be part of the result. — HoLyVieR, Aug 02 '10 at 16:47
Normally the data sent shouldn't be too big, but I wanted to know if there was a point where the data would too big for browser to handle. — HoLyVieR, Aug 02 '10 at 16:49

Thomas · Answer 1 · 2010-08-08T21:48:38.670

Short answers:

Same behaviour: No

Lowest limit found in popular browsers:

10KB per header
256 KB for all headers in one response.

Test results from MacBook running Mac OS X 10.6.4:

Biggest response successfully loaded, all data in one header:

Opera 10: 150MB
Safari 5: 20MB
IE 6 via Wine: 10MB
Chrome 5: 250KB
Firefox 3.6: 10KB

Note Those outrageous big headers in Opera, Safari and IE took minutes to load.

Note to Chrome: Actual limit seems to be 256KB for the whole HTTP header. Error message appears: "Error 325 (net::ERR_RESPONSE_HEADERS_TOO_BIG): Unknown error."

Note to Firefox: When sending data through multiple headers 100MB worked fine, just split up over 10'000 headers.

My Conclusion: If you want to support all popular browsers 10KB per header seems to be the limit and 256KB for all headers together.

My PHP Code used to generate those responses:

<?php

ini_set('memory_limit', '1024M');
set_time_limit(90);
$header = "";

$bytes = 256000;

for($i=0;$i<$bytes;$i++) {
    $header .= "1";
}

header("MyData: ".$header);
/* Firfox multiple headers
for($i=1;$i<1000;$i++) {
    header("MyData".$i.": ".$header);
}*/

echo "Length of header: ".($bytes / 1024).' kilobytes';

?>

https://cs.chromium.org/chromium/src/net/http/http_stream_parser.h?q=ERR_RESPONSE_HEADERS_TOO_BIG&sq=package:chromium&dr=C&l=159 Looks like the Chrome one has never been enlarged. — jcolebrand, Sep 25 '16 at 21:06
Updated values: Firefox 99: a bit below 393,216 B per header. Chrome 100: 250 KB per header. — ZachB, May 07 '22 at 17:58

score 8 · Accepted Answer · answered Aug 07 '10 at 18:03

In practice, while there are rules prohibitting proxies from not passing certain headers (indeed, quite clear rules on which can be modified and even on how to inform a proxy on whether it can modify a new header added by a later standard), this only applies to "transparent" proxies, and not all proxies are transparent. In particular, some wipe headers they don't understand as a deliberate security practice.

Also, in practice some do misbehave (though things are much better than they were).

So, beyond the obvious core headers, the amount of header information you can depend on being passed from server to client is zero.

This is just one of the reasons why you should never depend on headers being used well (e.g., be prepared for the client to repeat a request for something it should have cached, or for the server to send the whole entity when you request a range), barring the obvious case of authentication headers (under the fail-to-secure principle).

Sasha Chedygov · Answer 3 · 2010-08-06T21:19:46.677

Two things.

First of all, why not just run a test that gives the browser progressively larger and larger headers and wait till it hits a number that doesn't work? Just run it once in each browser. That's the most surefire way to figure this out. Even if it's not entirely comprehensive, you at least have some practical numbers to go off of, and those numbers will likely cover a huge majority of your users.

Second, I agree with everyone saying that this is a bad idea. It should not be hard to find a different solution if you are really that concerned about hitting the limit. Even if you do test on every browser, there are still firewalls, etc to worry about, and there is absolutely no way you will be able to test every combination (and I'm almost positive that no one else has done this before you). You will not be able to get a hard limit for every case.

Though in theory, this should all work out fine, there might later be that one edge case that bites you in the butt if you decide to do this.

TL;DR: This is a bad idea. Save yourself the trouble and find a real solution instead of a workaround.

Edit: Since you mention that the requests can come from several types of sources, why not just specify the source in the request header and have the data contained entirely in the body? Have some kind of Source or ClientType field in the header that specifies where the request is coming from. If it's coming from a browser, include the HTML in the body; if it's coming from a PHP application, put some PHP-specific stuff in there; etc etc. If the field is empty, don't add any extra data at all.

+1 for giving the source or client type. You can use GET parameters to specify what kind of response should be given. — Michael Aaron Safyan, Aug 08 '10 at 04:30

score 2 · Answer 4 · edited Mar 03 '20 at 20:21

2

The RFC for HTTP/1.1 clearly does not limit the length of the headers or the body.

According to this page modern browsers (Firefox, Safari, Opera), with the exception of IE can handle very long URIs: https://web.archive.org/web/20191019132547/https://boutell.com/newfaq/misc/urllength.html. I know it is different from receiving headers, but at least shows that they can create and send huge HTTP requests (possibly unlimited length).

If there's any limit in the browsers it would be something like the size of the available memory or limit of a variable type, etc.

edited Mar 03 '20 at 20:21

grg

5,023
3
34
50

answered Jul 24 '10 at 21:30

Karman Kertesz

334
3
8

1

For everyone up-voting this, please note, that this only states what the protocol is, which is in theory what browsers should handle, but has everyone know theory is very often not the same thing as practice. This is not the answer I am looking for. This is merely just a feeling about what the answer would be. I want something more than just "I got a feeling that it would be something like". – HoLyVieR Aug 04 '10 at 00:35
1

I agree with HoLyVieR, this is not really an answer. It's just some related information. Really this is not a great question in the first place, it's asking for statistics that are not really published 'cause usually people don't care enough. However, for someone that does care enough, how hard is it to write an AJAX application that tests the limits of a browser and then run that in various browsers? The results would be much more reliable than asking others who have not run such tests. – Samuel Neff Aug 05 '10 at 18:23

score 1 · Answer 5 · answered Aug 04 '10 at 05:17

Theoretically, there's no limit to the amount of data that can be sent in the browser. It's almost like saying there's a limit to the amount of content that can be in the body of a web page.

If possible, try to transmit the data through the body of the document. To be on the safe side, consider splitting the data up, so that there are multiple passes for loading.

Can HTTP headers be too big for browsers?

5 Answers5

Linked