Best IT Recipes

What is the limit for QueryString / GET / URL parameters

What is the limit for QueryString / GET / URL parameters

+51
query-string
Jun 22 '10 at 8:33
source share
4 answers

In theory, there is no limit. For HTTP HTTP 1.1 URLs, the specification reads:

HTTP does not set an a priori limit on the length of a URI. Servers MUST be able to handle the URIs of any resource they serve, and SHOULD be able to handle URIs of unlimited length if they provide GET-based forms that can generate such URIs. The server SHOULD return 414 (Request-URI Too Long) status if the URI is longer than the server can process (see section 10.4.15).

But in practice, many clients and servers only support URLs up to a certain length. The rule should not use URLs up to 2000 characters long (percentage encoding has already been taken into account).

+59
Jun 22 '10 at 8:40
source share

There is no definite limit. However, RFC 2068 states:

The HTTP protocol does not establish an a priori limitation on the length of a URI. Servers MUST be able to handle the URIs of any resource that they serve, and SHOULD be able to handle URIs of unlimited length if they provide GET-based forms that can generate such URIs. The server MUST return 414 (Request-URI Too Long) if the URI is longer than the server can process (see Section 10.4.15). Note. Servers must be careful depending on the length of the URIs above 255 bytes, as some older client or proxy implementations may not support this length properly.

+5
Jun 22 2018-10-10T00:
source share

Although officially there are no restrictions, many security recommendations indicate that maxQueryStrings should have a maximum limit of 1024 characters on the server, and that the entire URL, including the query string, should be no more than 2048 characters. This is done in order to prevent the Slow HTTP Request vulnerability on the web server and to prevent the slow DDOS attacks that are detected on the Qualys web application scanner and other security scanners.

Please see the code below for Windows IIS servers with Web.config:

<security> <requestFiltering> <requestLimits maxQueryString="1024" maxUrl="2048"> <headerLimits> <add header="Content-type" sizeLimit="100" /> </headerLimits> </requestLimits> </requestFiltering> </security>
0
Jun 10 '19 at 13:46 on
source share

I remember that the standard defines 1024 bytes for a URL (including a query string), but I also read somewhere that Internet Explorer accepts up to 2083 characters. It probably depends on the browser ...

-one
Jun 22 '10 at 8:37
source share


More articles:


All Articles