Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proposal: net/http: add option to limit header count in Server #62298

Open
imacks opened this issue Aug 26, 2023 · 2 comments
Open

proposal: net/http: add option to limit header count in Server #62298

imacks opened this issue Aug 26, 2023 · 2 comments
Labels
Proposal
Milestone
Proposal

Comments

@imacks
Copy link
Contributor

imacks commented Aug 26, 2023

Proposal

Right now net/http has Server.MaxHeaderBytes to limit request header size. Proposing an additional Server.MaxHeaderCount to limit total number of headers.

Rationale

Granted that Server already has quite a number of tunable fields, none address the issue of DOS attacks that send a boatload of headers. Even when limiting total header size to 64k, an attacker can still send ~13k headers in a single request. This puts visible pressure on the GC as the number of malicious requests scale up.

Implementing this is trivial with existing code.

Any hint of a workaround would be appreciated too.
@gopherbot gopherbot added this to the Proposal milestone Aug 26, 2023
@seankhliao seankhliao changed the title proposal: net/http Server add option to limit header count proposal: net/http: add option to limit header count in Server Aug 26, 2023
@seankhliao
Copy link
Member

cc @neild

@imacks
Copy link
Contributor Author

imacks commented Nov 23, 2023

Any progress?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Proposal
Projects
Proposals
Status: Incoming
Milestone
Proposal
Development

No branches or pull requests
3 participants
@gopherbot @seankhliao @imacks