I am using the embedded Jetty Container and came across the problem that the server.max-http-header-size property is "only" used to set the size of the request header. Jetty differentiates between request and response header size. I know, that you can set the response header size by providing your own customizer. But the name of the property indicates that it affects all header sizes not only the request ones. So wouldn't it make sense to use the property on both response and request header size?
As of now the JettyWebServerFactoryCustomizer only uses setRequestHeaderSize but in my opinion should also use setResponseHeaderSize
I am more than happy to provide the minimal change in a pull request if this change is seen as useful.
Comment From: wilkinsona
Thanks for raising this. There are some differences among the 4 web servers that we support and some inconsistencies in how we configure them.
- Jetty – as you've described, Jetty allows both request and response header sizes to be limited and to have different limits. We only configure the limit for requests
- Netty – only allows the request header size to be limited
- Tomcat – uses one setting, which we configure, to limit request and response header sizes
- Undertow – only allows the request header size to be limited
If it weren't for Tomcat, I'd be in favour of updating the description of the property to indicate that it only applies to requests. Given that Tomcat already applies to setting to responses and requests, I think I'm in favour of aligning Jetty with that. I'm a little unsure about doing so in a maintenance release as it's possible that someone using Jetty is currently relying on being able to send a response with headers that are greater in size than the limit they've configured for requests.
An alternative would be to discuss a change with the Tomcat team so it allows separate limits for requests and responses. We could then add Tomcat and Jetty-specific properties for the response header size limit and document the existing property as being request-only.
Flagging for discussion at a team meeting so that we can consider these options and any others that haven't occurred to me.
Comment From: philwebb
We discussed this today and we'd really like to align things if possible so that the property is just used for the request header. @markt-asf would an enhancement to Tomcat be possible so that the request and response max header size can be configured independently? Should we raise an issue for this?
Comment From: markt-asf
Yes, please raise an issue. I suspect we'll separate them out into two new settings with the old setting being used as a default and removed for 10.1.x onwards.
Comment From: philwebb
Thanks mark, I've opened https://bz.apache.org/bugzilla/show_bug.cgi?id=65866
Comment From: aooohan
Hi, @wilkinsona . Can this issue be assigned to me? I will align that 'server.max-http-header-size' property only for requests, and add Tomcat and Jetty-specific properties for response header size limit.
Comment From: wilkinsona
Thanks for the offer, @aooohan. Unfortunately, I don't think we're quite ready to start work on this one.
I think it may be confusing if we only apply a property named server.max-http-header-size to requests. It should perhaps be renamed to server.max-http-request-header-size. Alternatively, we may want to name it server.request.max-http-header-size. We could then add server.tomcat.response.max-http-header-size and move properties like server.tomcat.max-swallow-size to server.tomcat.request.max-swallow-size.
I'll update the labels to reflect the need for some design work.
Comment From: wilkinsona
We're going to introduce server.max-http-request-header-size. We'd like to keep server.max-http-header-size in a deprecated form but that will require us to keep its current behaviour. If both properties are set, we should throw an exception. If that proves to be too complicated, we may just remove server.max-http-header-size.
We are not going to introduce Jetty- and Tomcat-specific properties for the response header size at this time. We may do so in the future, however.
Comment From: abhishek-zipy
@wilkinsona Thank you for picking this issue, I am also facing the same problem when my response header is big.
May I know in which version of spring boot it will fix?
Comment From: bclozel
@abhishek-zipy it is scheduled for the 3.0.x milestone, meaning we would like to tackle it in the 3.0.x generation. As it is an enhancement and we're almost at the RC stage this is likely to be rescheduled for 3.1.0.
Comment From: abhishek-zipy
@bclozel Thank you for the reply. Is there any fix for now in the spring boot 2.5.12 version?
Comment From: bclozel
@abhishek-zipy As described in the original post, you can use your own ˋ JettyWebServerFactoryCustomizer` to configure the server. See https://docs.spring.io/spring-boot/docs/current/reference/html/howto.html#howto.webserver.configure