What is the limit on QueryString / GET / URL parameters

http query-string

What is the limit on QueryString / GET / URL parameters


Solution 1:

There is no limit in theory. For HTTP URLs, the HTTP 1.1 specification states:

The HTTP protocol does not place any a priori limit on the length of a URI. Servers MUST be able to handle the URI of any resource they serve, and SHOULD be able to handle URIs of unbounded length if they provide GET-based forms that could generate such URIs. A server SHOULD return 414 (Request-URI Too Long) status if a URI is longer than the server can handle (see section 10.4.15).

But in practice, many clients and servers do only support URLs up to a certain length. The rule of thumb is not to use URLs longer than 2000 characters (percent encoding already taken into account).

Solution 2:

There is no defined limit. However, RFC 2068 states:

The HTTP protocol does not place any a priori limit on the length of a URI. Servers MUST be able to handle the URI of any resource they serve, and SHOULD be able to handle URIs of unbounded length if they provide GET-based forms that could generate such URIs. A server SHOULD return 414 (Request-URI Too Long) status if a URI is longer than the server can handle (see section 10.4.15). Note: Servers should be cautious about depending on URI lengths above 255 bytes, because some older client or proxy implementations may not properly support these lengths.

Solution 3:

Although officially there is no limit specified by RFC 2616, many security protocols and recommendations state that maxQueryStrings on a server should be set to a maximum character limit of 1024. While the entire URL, including the querystring, should be set to a max of 2048 characters. This is to prevent the Slow HTTP Request DDOS vulnerability on a web server. This typically shows up as a vulnerability on the Qualys Web Application Scanner and other security scanners.

Please see the below exampple code for Windows IIS Servers with Web.config:

This would also work on a server level using machine.config.

Note: Limiting query string and URL length may not completely prevent Slow HTTP Requests DDOS attack but it is one step you can take to prevent it.

Related

Spring profiles and testing
What is the default implementation of `hashCode`? [duplicate]
AppDomain and MarshalByRefObject life time : how to avoid RemotingException?
Why does CSS2.1 define overflow values other than "visible" to establish a new block formatting context?
Ruby on Rails plural (controller) and singular (model) convention - explanation
How to specify const array in global scope in Rust?
Is it mandatory to save *.iml files in Version control?
Transition to another route on successful async redux action
What C++11 features does Visual Studio 2010 support?
Pythonic way to split a list into first and rest?
Maven best practice for creating ad hoc zip artifact
What is the default font family in Android?