proposal: net/http: add option to limit header count in Server #62298
Comments
seankhliao
changed the title
|
cc @neild |
|
Any progress? |
Resolves issue golang#62298 by adding a new Server.MaxHeaderCount option.
|
I have made a draft of what a PR would entail. Care to share your thoughts on this? @seankhliao @neild |
|
Sorry for the late reply. What the HTTP receiver really cares about is the amount of bytes of headers, it's also what really matters. The number of headers tells us almost nothing because the amount of bytes is still ambiguous. If you're trying to limit the number of headers, I believe lowering the |
|
Tks for the response. As I've first described, the issue here is that a malicious request can have a lot of small header key-values and still fall within a reasonable MaxHeaderBytes limit. Since an incoming request header is always parsed into a map, the server will be making a lot of allocs for that request. The current code also puts a cap on the estimated map capacity, making the situation worse. Amplifying the number of these malicious requests can put significant pressure on the gc, causing performance issues. Reducing MaxHeaderBytes can help, but may not be feasible without affecting legitimate requests. Even if we don't give the option to specify number of headers, a hardcoded a limit or limit configurable via env can work too. |
Proposal
Right now
net/httphasServer.MaxHeaderBytesto limit request header size. Proposing an additionalServer.MaxHeaderCountto limit total number of headers.Rationale
Granted that
Serveralready has quite a number of tunable fields, none address the issue of DOS attacks that send a boatload of headers. Even when limiting total header size to 64k, an attacker can still send ~13k headers in a single request. This puts visible pressure on the GC as the number of malicious requests scale up.Implementing this is trivial with existing code.
Any hint of a workaround would be appreciated too.
The text was updated successfully, but these errors were encountered: