Increase default property server.max-http-request-header-size from 8KB to 16KB

[mbazos]

I am not sure if the Spring Boot team would be willing to do this but some time ago in the nodejs ecosystem and some other ecosystems they typically default the max http request header size to 16KB:
nodejs/node#32520

Case for this:
Spring Boot is used extensively in the backend while up the stack it's not uncommon in various architectures to see midtier apps/front ends use different technologies like nodejs that by default accept larger header sizes by default. Obviously this could always be a moving target but 8KB does seem a little aggressive and I think it's that way to minimize DDoS attacks.

Anyways I am not sure what your thoughts are but figured it would be good to ask if we could consider increasing the default max header size from 8KB to 16KB

For some more context and past discussions you can see here
nodejs/node#27645

...and yes I am aware another approach is to just always set this property but just seeing if we think 16KB would be a reasonable default

[bclozel]

I think we're just going with the defaults that popular servers are using these days:

• Tomcat
• Jetty
• Reactor Netty

It would be strange for Spring Boot to pick defaults considered as "less safe" than what supported servers chose.

[wilkinsona]

I agree with Brian. I thought we had a test to check that our default aligns with Tomcat's default, but I can't find it. I've opened #46977 to add one so that we can consider updating Boot's default should Tomcat change its default in the future.

/cc @markt-asf.

[mbazos]

Thanks yeah I think that's probably a good decision to align with the popular servers and having a check that spring boot default is a good idea. Thanks for getting back to me on this so quickly