What is the maximum possible length of a query string

Question

Is it browser dependent   Also  do different web stacks have different limits on how much data they can get from the request

User · Answer

Although officially there is no limit specified by RFC 2616, many security protocols and recommendations state that maxQueryStrings on a server should be set to a maximum character limit of 1024. While the entire URL, including the querystring, should be set to a max of 2048 characters. This is to prevent the Slow HTTP Request DDOS vulnerability on a web server. This typically shows up as a vulnerability on the Qualys Web Application Scanner and other security scanners.

Please see the below example code for Windows IIS Servers with Web.config:

<system.webServer>
<security>
    <requestFiltering>
        <requestLimits maxQueryString="1024" maxUrl="2048">
           <headerLimits>
              <add header="Content-type" sizeLimit="100" />
           </headerLimits>
        </requestLimits>
     </requestFiltering>
</security>
</system.webServer>

This would also work on a server level using machine.config.

Note: Limiting query string and URL length may not completely prevent Slow HTTP Requests DDOS attack but it is one step you can take to prevent it.

User · Answer

Different web stacks do support different lengths of http-requests   I know from experience that the early stacks of Safari only supported 4000 characters and thus had difficulty handling ASP net pages because of the USER-STATE   This is even for POST  so you would have to check the browser and see what the stack limit is   I think that you may reach a limit even on newer browsers   I cannot remember but one of them  IE6  I think  had a limit of 16-bit limit  32 768 or something

User · Answer

RFC 2616  Hypertext Transfer Protocol     HTTP 1 1  states there is no limit to the length of a query string  section 3 2 1   RFC 3986  Uniform Resource Identifier     URI  also states there is no limit  but indicates the hostname is limited to 255 characters because of DNS limitations  section 2 3 3    While the specifications do not specify any maximum length  practical limits are imposed by web browser and server software  Based on research which is unfortunately no longer available on its original site  it leads to a shady seeming loan site  but which can still be found at Internet Archive Of Boutell com    Microsoft Internet Explorer  Browser  Microsoft states that the maximum length of a URL in Internet Explorer is 2 083 characters  with no more than 2 048 characters in the path portion of the URL  Attempts to use URLs longer than this produced a clear error message in Internet Explorer  Microsoft Edge  Browser  The limit appears to be around 81578 characters  See URL Length limitation of Microsoft Edge Chrome It stops displaying the URL after 64k characters  but can serve more than 100k characters  No further testing was done beyond that  Firefox  Browser  After 65 536 characters  the location bar no longer displays the URL in  Windows Firefox 1 5 x  However  longer URLs will work  No further testing was done after 100 000 characters  Safari  Browser  At least 80 000 characters will work  Testing was not tried beyond that  Opera  Browser  At least 190 000 characters will work  Stopped testing after 190 000 characters  Opera 9 for Windows continued to display a fully editable  copyable and pasteable URL in the location bar even at 190 000 characters  Apache  Server  Early attempts to measure the maximum URL length in web browsers bumped into a server URL length limit of approximately 4 000 characters  after which Apache produces a  413 Entity Too Large  error  The current up to date Apache build found in Red Hat Enterprise Linux 4 was used  The official Apache documentation only mentions an 8 192-byte limit on an individual field in a request  Microsoft Internet Information Server  Server  The default limit is 16 384 characters  yes  Microsoft s web server accepts longer URLs than Microsoft s web browser   This is configurable  Perl HTTP  Daemon  Server  Up to 8 000 bytes will work  Those constructing web application servers with Perl s HTTP  Daemon module will encounter a 16 384 byte limit on the combined size of all HTTP request headers  This does not include POST-method form data  file uploads  etc   but it does include the URL  In practice this resulted in a 413 error when a URL was significantly longer than 8 000 characters  This limitation can be easily removed  Look for all occurrences of 16x1024 in Daemon pm and replace them with a larger value   Of course  this does increase your exposure to denial of service attacks

[browser] What is the maximum possible length of a query string?

Examples related to browser

Examples related to max

Examples related to query-string