10.4 Ensure the LimitRequestBody Directive is Set to 102400 or Less

Information

The LimitRequestBody directive limits the number of bytes that are allowed in a request body. Size of requests may vary greatly; for example, during a file upload the size of the file must fit within this limit.

Rationale:

The limiting of the size of the request body is helpful so that the web server can prevent an unexpectedly long or large request from being passed to a potentially vulnerable program. Of course, the underlying dependency is that we need to set the limits high enough to not interfere with any one application on the server, while setting them low enough to be of value in protecting the applications. The LimitRequestBody may be configured on a per directory, or per location context. Please read the Apache documentation carefully, as these requests may interfere with the expected functionality of some web applications.

Solution

Perform the following to implement the recommended state:

Add or modify the LimitRequestBody directive in the Apache configuration to have a value of 102400 (100K) or less. Please read the Apache documentation so that it is understood that this directive will limit the size of file up-loads to the web server.

LimitRequestBody 102400

Default Value:

LimitRequestBody 0 (unlimited)

See Also

https://workbench.cisecurity.org/files/3021

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|9, CSCv7|5.1

Plugin: Unix

Control ID: 7c43aa28c68f2ee3f16fd6b80a4dc6b1c03d7e5e7a79460914ec61d332703e50