10.3 Ensure the LimitRequestFieldsize Directive is Set to 1024 or Less

Information

The LimitRequestFieldSize limits the number of bytes that will be allowed in an HTTP request header. It is recommended that the LimitRequestFieldSize directive be set to 1024 or less.

Rationale:

By limiting of the size of request headers is helpful so that the web server can prevent an unexpectedly long or large value from being passed to exploit a potentially vulnerable program. Of course, the underlying dependency is that we need to set the limits high enough to not interfere with any one application on the server, while setting them low enough to be of value in protecting the applications. Since the configuration directives are available only at the server configuration level, it is not possible to tune the value for different portions of the same web server. Please read the Apache documentation carefully, as these requests may interfere with the expected functionality of some web applications.

Solution

Perform the following to implement the recommended state:

Add or modify the LimitRequestFieldsize directive in the Apache configuration to have a value of 1024 or less.

LimitRequestFieldsize 1024

Default Value:

LimitRequestFieldsize 8190

See Also

https://workbench.cisecurity.org/files/3021