You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Right now net/http has Server.MaxHeaderBytes to limit request header size. Proposing an additional Server.MaxHeaderCount to limit total number of headers.
Granted that Server already has quite a number of tunable fields, none address the issue of DOS attacks that send a boatload of headers. Even when limiting total header size to 64k, an attacker can still send ~13k headers in a single request. This puts visible pressure on the GC as the number of malicious requests scale up.