10.4 Ensure the LimitRequestBody Directive is Set to 102400 or Less

Information

The 'LimitRequestBody' directive limits the number of bytes that are allowed in a request body. Size of requests may vary greatly; for example, during a file upload the size of the file must fit within this limit.

Rationale:

The limiting of the size of the request body is helpful so that the web server can prevent an unexpectedly long or large request from being passed to a potentially vulnerable program. Of course, the underlying dependency is that we need to set the limits high enough to not interfere with any one application on the server, while setting them low enough to be of value in protecting the applications. The 'LimitRequestBody' may be configured on a per directory, or per location context.
Please read the Apache documentation carefully, as these requests may interfere with the expected functionality of some web applications.

Solution

Perform the following to implement the recommended state:

Add or modify the 'LimitRequestBody' directive in the Apache configuration to have a value of '102400' (100K) or less. Please read the Apache documentation so it is understood this directive will limit the size of file uploads to the web server.

LimitRequestBody 102400

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|9, CSCv7|5.1

Plugin: Unix

Control ID: 7cddbbdf471fb6a6169a663daca3e18144352234adc44a930658f92012435223