The HTTP 431 status code indicates that a server refuses to process a request because HTTP headers are too large.
While the HTTP spec doesn’t impose any limits on the size of headers, most web servers do. Servers can use this status code when the size of a single header field or the total size of all headers exceeds the limit.
More often than not, the culprit is a cookie-related header (
Cookie). It is also worth checking the
User-Agent headers as they can be easily spoofed.
According to the HTTP/2 specification, the cookie header may be split into multiple header fields for better compression efficiency (HPACK). That might cause a problem when there are too many cookie-related header fields.
While you can configure some web servers to accommodate larger cookies, keep in mind that this could open an avenue for a denial of service (DoS) attack.
Make sure to clear cookies from your browser before tweaking the configuration parameters.
Instead of returning the 431 status code when the cookie or header size is too large, Nginx responds with the
400 Bad Request Request Header Or Cookie Too Large. To accommodate larger cookies or headers, keep increasing the
client_header_buffer_size directive until you get a
200 OK response:
If you’re using the HTTP/2 module for nginx, you can configure the
http2_max_header_size to control the allowed size of all headers. The default is
16K, which means all headers can occupy no more than 16 kilobytes of space after decompression.
Also, consider increasing the limit for the maximum size of a request header field (HPACK-compressed). The default is
4k, which means a request header’s name or value can’t exceed 4 kilobytes.
http2_max_header_size 32k; http2_max_field_size 8k;
Nginx will disconnect the HTTP/2 session upon encountering large headers or request lines instead of returning 431 or 414 status codes.
Starting from versions 10.15.0 and 11.6.0, you can pass the
--max-http-header-size flag to control the maximum header size.
node --max-http-header-size=16384 index.js
The default was reduced from about 80 kilobytes to 8 kilobytes (8192 bytes) to prevent a denial of service attack with large HTTP headers (CVE-2018-12121).