What is the average size of an HTTP request/response header?

I am working with an embedded platform that has 16MB of RAM only. And I need to deep packet filter HTTP streams. To prevent a Denial of Service attack on the device I'd like some statistical averages regarding HTTP stream sizes, specifically the HTTP header in particular.


From Google's SPDY research project whitepaper

Uncompressed request and response headers. Request headers today vary in size from ~200 bytes to over 2KB. As applications use more cookies and user agents expand features, typical header sizes of 700-800 bytes is common.


The HTTP HEAD response from www.google.com is 823 bytes, as checked just now. This is without any authentication. About half of that is the Set-Cookie header. An easy way to check is the curl command.


I don't have any statistics to back this up (what does it mean to take a statistical average of HTTP header sizes? average over what?), but from anecdotal experience a typical HTTP header is 0.5KB and might go up to 1K or 2K (depending on cookie size, etc.). You could theoretically get HTTP headers up to 4K or 8K but that is fairly rare.