Home
Blog
Understanding HTTP Header Size Limits in...

Understanding HTTP Header Size Limits in Apache and Nginx
Adam C. |

When you start adding SSO providers, JWTs, or large cookies to your web stack, you’ll eventually hit a frustrating error:

400 Bad Request – Request Header Or Cookie Too Large
431 Request Header Fields Too Large
502 Bad Gateway – upstream sent too big header

These errors are not random—they happen because web servers like Apache and Nginx enforce limits on HTTP header size. Let’s break down the defaults, how to tune them, and why you should resist the temptation to set them “infinitely large.”

Photo by Joanna Kosinska on Unsplash

Why header size matters

Cookies: Each cookie can be up to ~4 KB. Multiply that by multiple cookies and you can easily exceed 8 KB.

JWTs / OAuth tokens: A single token can be >10 KB.

Reverse proxies: You not only care about incoming request headers (from browsers) but also response headers (from your app), especially if your app sets big Set-Cookie values.

If the server’s buffer is too small, it rejects the request/response with 400/431/502 errors.

Nginx defaults vs tuning

Defaults (64-bit builds):

client_header_buffer_size   1k;
large_client_header_buffers 4 16k;
proxy_buffer_size           8k;
proxy_buffers               8 8k;
proxy_busy_buffers_size     16k;
http2_max_field_size        16k;
http2_max_header_size       64k;

Request side: A single header line can only be 1k, and the total request headers 64 KB.

Response side: A single upstream response header can’t exceed 8 KB.

Common tuning (for Auth0, SSO, large cookies):

# Requests (client → Nginx)
client_header_buffer_size   64k;
large_client_header_buffers 16 64k;

# Responses (upstream → Nginx)
proxy_buffer_size        16k;
proxy_buffers            8 16k;
proxy_busy_buffers_size  32k;

# HTTP/2 (mod_http2 in Nginx)
http2_max_field_size     32k;
http2_max_header_size    128k;

This raises both sides to handle bigger cookies and longer auth headers.

Apache 2.4 defaults vs tuning

HTTP/1.x defaults:

LimitRequestFieldSize 8190    # ≈ 8 KB per header
LimitRequestLine      8190    # ≈ 8 KB for entire request line
LimitRequestFields    100     # max number of headers

HTTP/2 defaults (mod_http2):

H2MaxHeaderListSize 65536     # 64 KB total headers

Safe tuning for larger headers:

# HTTP/1.x
LimitRequestFieldSize 16384
LimitRequestLine      16384

# HTTP/2
H2MaxHeaderListSize   131072   # 128 KB

Why not set these “too large”?

It might be tempting to set everything to 512 KB or 1 MB “just in case.” But that creates problems:

Memory pressure: Apache and Nginx allocate buffers per connection. Large settings × many concurrent connections = wasted RAM.

DoS surface: Attackers can exploit large headers to tie up server resources.

Real-world limits: Browsers themselves rarely send >16 KB per cookie header. Most apps don’t need more than ~128 KB total.

The sweet spot is 16 KB per header and 128 KB total for HTTP/2—large enough for SSO tokens, but not so large that you waste memory.

Troubleshooting checklist

Seeing 400 Bad Request? → Raise client_header_buffer_size / large_client_header_buffers (Nginx) or LimitRequestFieldSize (Apache).

Seeing 431 Request Header Fields Too Large (HTTP/2)? → Raise http2_max_header_size (Nginx) or H2MaxHeaderListSize (Apache).

Seeing 502 upstream sent too big header? → Raise proxy_buffer_size (Nginx). Apache rarely needs this because it streams headers.

TL;DR

Nginx defaults are strict (1k per header line, 8k per response header). Tune both request and proxy buffers.

Apache defaults are looser for HTTP/2 (64 KB), but still only 8 KB per header for HTTP/1.

Don’t overshoot—large buffers eat memory and open DoS risks.

Recommended safe values:

16 KB per header

128 KB total for HTTP/2

That’s enough for real-world cookies, JWTs, and SSO without bloating your servers.