net/http: optional Request-line length limit #15494
Using net/http ReverseProxy server and encountering cases where it would be ideal to reject HTTP requests that exceed a request-line greater than some configurable value.
According to the RFC and request-line:
there is no predefined limit on the request line size, so the http server in go is doing the right thing.
However scenarios such as plain old invalid requests or potentially malicious requests with large payloads, it would be ideal to have the option to cap the request-line and return a 400 - Bad Request.
Any thoughts on potentially providing optional support to have a max length request line?
The text was updated successfully, but these errors were encountered:
One last question, would you be open to having a separate
The problem I am having right now is coming up with a value that works for both headers vs. request line.
I'd also be happy to submit a contribution to help.