> Also, what a potential test scenario would look like. We saw “WARN HttpParser - Header is too large 8193>8192” in our log file and we would like to control it.
Before you go and make the header larger, know that there is a global probe of systems for vulnerabilities with large headers. We, Jetty, have a CVE filed for it at CVE-2019-17638 See: https://www.eclipse.org/jetty/security-reports.html Your version, 9.4.20, is not vulnerable to that header size issue, but it is subject to other security issues, see security-reports link, familiarize yourself with your 9.4.20 scoped security issues at a minimum. If you want to configure for larger headers at the server side simply to eliminate that warning, know that it will still be there, the vulnerability probes will just keep increasing their header sizes until it triggers a different kind of response. You will continue to get these warnings. No legitimate (and bug free) client will send headers that large. Most modern browsers will even fail the request at the browser side before even attempting to send the request with headers that large, as they have internal limits (on overall header table size, individual header size, overall URL size, etc) Joakim Erdfelt / [email protected] On Mon, Oct 5, 2020 at 10:49 AM Eze Ikonne <[email protected]> wrote: > Hi all, > > > > I would like to know what method/API to set in order to control Maximum > Header length and Maximum Form content size. > > We are running embedded jetty-server-9.4.20.v20190813 and I would like to > control the Maximum Header Length size and Maximum Forrm content size. > > Also, what a potential test scenario would look like. We saw “WARN > HttpParser - Header is too large 8193>8192” in our log file and we would > like to control it. > > > > Thanks, > > > > Ike > ===================================================== > Please refer to https://northamerica.altran.com/email-disclaimer > for important disclosures regarding this electronic communication. > ===================================================== > _______________________________________________ > jetty-users mailing list > [email protected] > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
