W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: Header Size? Was: Our Schedule

From: Simone Bordet <simone.bordet@gmail.com>
Date: Thu, 29 May 2014 09:39:55 +0200
Message-ID: <CAFWmRJ3UKr429z5j8j6hwWiFomtog_5nz5iGYo9bP+3ecCaLZQ@mail.gmail.com>
To: Willy Tarreau <w@1wt.eu>
Cc: Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>

On Thu, May 29, 2014 at 7:25 AM, Willy Tarreau <w@1wt.eu> wrote:
> On Thu, May 29, 2014 at 04:52:51PM +1200, Amos Jeffries wrote:
>> Personally I am in favour of 64K limit on headers. However, the
>> Cookie/Set-Cookie size problem is a hard nut to crack.
>> Also might I remind that Squid already has a few complaints about our
>> 32KB default limit and people patching the code to handle >64KB
>> individual header length for auth tokens in NTLM/Negotiate logins when
>> (long) lists of groups and SID are encoded inside them.
> FWIW, haproxy ships with a 8kB default limit, and in our appliances
> it's even 7kB. We had maybe only twice to explain to people how to
> raise the limit, and each time it was because of an application bug
> causing cookies to be duplicated for each request, resulting in
> requests of several 10s of kB after hundreds of requests. I personally
> don't expect such an application bug to drive the protocol limits :-)
> Just like Greg, I think that 8kB is already a high reasonable limit
> and that if we push it to 16kB we cover a most usages. It's possible
> that Richard's stats include bogus applications and/or attacks BTW.

>From Richard's numbers, the headers greater than 16k represent the
0.026% of the hits, so 16 KiB indeed covers most usages.

Simone Bordet
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.   Victoria Livschitz
Received on Thursday, 29 May 2014 07:40:22 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:31 UTC