10.3 Ensure the LimitRequestFieldsize Directive is Set to 1024 or Less


The 'LimitRequestFieldSize' directive sets the maximum size of an HTTP request header field. It is recommended that the 'LimitRequestFieldSize' directive be set to '1024' or less.


By limiting of the size of request headers is helpful so that the web server can prevent an unexpectedly long or large value from being passed to exploit a potentially vulnerable program. Of course, the underlying dependency is that we need to set the limits high enough to not interfere with any one application on the server, while setting them low enough to be of value in protecting the applications. Since the configuration directives are available only at the server configuration level, it is not possible to tune the value for different portions of the same web server. Please read the Apache documentation carefully, as these requests may interfere with the expected functionality of some web applications.


Perform the following to implement the recommended state:

Add or modify the 'LimitRequestFieldSize' directive in the Apache configuration to have a value of '1024' or less.

LimitRequestFieldsize 1024

See Also


Item Details


References: 800-53|CM-6, CSCv6|9, CSCv7|5.1

Plugin: Unix

Control ID: 216bb3196cd7efbc6f7e6091370b0446d605641d38c59d9c4fa35bd6cd75d113