cookie bomb - how to protect?

coderman coderman at
Sun Jan 19 16:35:08 UTC 2014

On Sun, Jan 19, 2014 at 8:06 AM, mex <nginx-forum at> wrote:
> very interesting read:
> ....
> my question: is there a generic way to check the size of such headers like
> cookies etc and to cut them off, or should we live with such malicious intent?

no good one size fits all solution that i have found.  trade off here
and you worsen over there...

i have worked on an internal system (not public endpoint, internal to
DMZ only) where the request URL, or any one of the individual request
header values could approach 32KBytes in size, with a full client or
server header reaching 64+KB.

we use a custom Nginx build to handle this on the internal proxy tier
only, not public.  the public endpoints respond with a custom empty
json response body for all such 4xx/5xx errors instead of default 400
like above.

i'd love to know of more elegant ways to handle this, with header
specific handling - especially cookies, if possible...

best regards,

P.S.  off-topic, but i have used this "feature" before to check for
content middling proxies between me and endpoints.  such headers often
resulting in proxy errors or timeouts even when implemented in
transparent trying to be inconspicuous mode.

More information about the nginx mailing list