0

I am able to set custom error pages for application level errors with help of customErrors as well as HTTP errors with httpErrors. But none of it handles HTTP 414 error.

I have gone through the answer on this article but I am not sure whether I haven't researched enough to handle custom error page for this.

Akshay Raut
  • 113
  • 1
  • 9
  • For those suggesting edits here assumed that this question is about Jetty server but it's not. It's about IIS for which I had applied tags to this question. – Akshay Raut Mar 20 '20 at 14:14

1 Answers1

1

Since the 414 URI Too Long (RFC 7231 6.5.12) is an error caused by a malformed /path?query part of an URI in the very first line of an HTTP request, the server never sees any other headers including Host: header of the second line: it already responds right after it gets the too long URI, e.g.

-->   GET /imagine/this/was/a/.../too.long?request=url HTTP/1.1
<--   HTTP/1.1 414 Request-URI Too Long
<--   Content-Type: text/html; charset=us-ascii
<--   Server: Microsoft-HTTPAPI/2.0

Therefore, it's natural that you cannot configure custom 414 pages per site on any web server.

I thought this would be possible server-wide on IIS using global IIS > Error Pages, but based on a test it seems that the 414 error is fixed and cannot be modified at all. The only source article I could find was from Microsoft's retired KB content, Error Message: HTTP 414 - Request - URI Too Long:

IIS checks the string length of the URI and does not service a request when the URI is longer than expected. This is by design.

However, this condition should be rare as you could easily prevent it from happening by:

  • using POST instead of GET whenever there could be longer query data than 2000 characters.
  • be careful that any redirection won't cause a loop where the URL itself gets used as a prefix.

With these principles a user would never see the page, and the human readable custom error pages are merely for users: any software can use the error code from the very first response header line.

Community
  • 1
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • Right. This has come as a security vulnerability that is why I was going researching for this as much as possible since attacker could try any combinations. Thanks for detailed info about that KB content too – Akshay Raut Jun 19 '17 at 14:04
  • What's the security vulnerability here? If IIS blocks all of these fine giving the `414` error, there shouldn't be any security related worries. – Esa Jokinen Jun 19 '17 at 14:06
  • 1
    The vulnerability came here as to remove that Server : Microsoft HTTP API/2.0 header from response. – Akshay Raut Jun 20 '17 at 07:07