3

The security team at my company has set a limit on the number of headers a HTTP request can contain (not header size, but an actual hard count limit on the number of headers).

A vendor has added a few headers for request tracing purposes, which has meant some requests are being denied as they exceed this limit.

I can understand why we would add a limit of say 500 headers, or perhaps even 100. But the limit we have set is more like 25 headers.

When we ask why this limit is in place the answer is just "security".

Is there an actual reason as to why you would want such a low limit? I can understand size limits, but not this.

Jessica
  • 133
  • 5
  • 2
    "Security" is ***never*** an answer. Security controls exist to limit and reduce *risk*. So any viable answer to your question should outline what the threats are, what the potential impact is, and how this control mitigates that risk. Copy/paste this comment to your security team, if you would like. – schroeder Aug 30 '22 at 08:23
  • 1
    I can understand it neither. This is *not* about security. – Artem S. Tashkinov Aug 30 '22 at 09:32
  • 2
    Additionally, if your security team provides you with a valid feedback, you can post an answer below to share with everyone. I am curious. – Yuriko Aug 30 '22 at 09:32

1 Answers1

1

Basically the reasons for limit that is because the application could be DoS at application layer, due to excessive header processing. For example if you have a HTTP requests that contains the Host header 20 times with different hostnames probably your backend will make 20 DNS resolutions (this depends of course on the backend or proxy). On the other hand, some headers like Cookies they have specific parsers that if you include 20 Cookie headers probably you will boost the CPU. With Authorization headers you will make some cryptographic operations and with some JWT headers also.

Limit the number of headers is a good idea, from my experience more than 16 headers should be a reasonable value but this depends on the backend/proxy system that will process the requests.

camp0
  • 2,172
  • 1
  • 10
  • 10