New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: optional Request-line length limit #15494
Comments
Can't you just do it yourself in your |
Hi @bradfitz Thanks for the info. I originally thought that I did a quick test and seems like it also is limiting the read-line Thanks |
I'll send a documentation change. |
Thanks for clarifying! 👍 🍺 |
Hi @bradfitz One last question, would you be open to having a separate The problem I am having right now is coming up with a value that works for both headers vs. request line. I'd also be happy to submit a contribution to help. Cheers |
No, we have enough knobs. I don't think there's enough of a use case to warrant a new knob. |
Fair enough |
Using net/http ReverseProxy server and encountering cases where it would be ideal to reject HTTP requests that exceed a request-line greater than some configurable value.
According to the RFC and request-line:
there is no predefined limit on the request line size, so the http server in go is doing the right thing.
However scenarios such as plain old invalid requests or potentially malicious requests with large payloads, it would be ideal to have the option to cap the request-line and return a 400 - Bad Request.
Any thoughts on potentially providing optional support to have a max length request line?
Cheers
The text was updated successfully, but these errors were encountered: