Solved
Recommended value for maxHttpHeaderSize in Tomcat
Hello,
Is there any recommendations for setting maxHttpHeaderSize in Tomcat?
***Edited by Moderator Rupashree S. to add Capability tags***
To see attachments, please log in.
Accepted Solution
Posted: 1 year ago
Updated: 1 year ago
Updated: 31 Mar 2025 8:09 EDT
MOD
Pegasystems Inc.
GB
@JohnnyG3
⚠ This is a GenAI-powered tool. All generated answers require validation against the provided references.
Default Values
The default maxHttpHeaderSize in Apache Tomcat varies depending on the connector type:
Recommended Values for Pega Applications
According to Pega Support documentation, the recommended minimum value for maxHttpHeaderSize in Pega applications is 16KB (16,384 bytes). This recommendation is based on an update that increased the default max header size used by stream data set REST service from 8KB to 16KB, as applications often have HTTP headers containing numerous cookies and meta-information that can exceed the 8KB default.
General Best Practices
For most enterprise applications, security experts and Tomcat administrators typically recommend setting the maxHttpHeaderSize to 65,536 bytes (64KB). This provides sufficient headroom for complex applications while still maintaining reasonable security constraints.
Configuration Method
To implement this change, you would need to modify your Tomcat server.xml file by adding or updating the maxHttpHeaderSize parameter in the Connector configuration:
@JohnnyG3
⚠ This is a GenAI-powered tool. All generated answers require validation against the provided references.
Default Values
The default maxHttpHeaderSize in Apache Tomcat varies depending on the connector type:
Recommended Values for Pega Applications
According to Pega Support documentation, the recommended minimum value for maxHttpHeaderSize in Pega applications is 16KB (16,384 bytes). This recommendation is based on an update that increased the default max header size used by stream data set REST service from 8KB to 16KB, as applications often have HTTP headers containing numerous cookies and meta-information that can exceed the 8KB default.
General Best Practices
For most enterprise applications, security experts and Tomcat administrators typically recommend setting the maxHttpHeaderSize to 65,536 bytes (64KB). This provides sufficient headroom for complex applications while still maintaining reasonable security constraints.
Configuration Method
To implement this change, you would need to modify your Tomcat server.xml file by adding or updating the maxHttpHeaderSize parameter in the Connector configuration:
Security Considerations
While increasing the header size can resolve issues with applications that use larger headers (like those with complex authentication mechanisms or numerous cookies), it's important to balance this against potential security implications. Setting an unnecessarily large value could potentially expose your system to certain types of attacks. The recommended 16KB for Pega applications or general 64KB recommendation provide a reasonable balance between functionality and security.
Testing Recommendation
Before implementing any changes to production systems, it's always best practice to test the configuration change in a staging environment to ensure it resolves your specific requirements without introducing any issues.
References:
Pega Support - Platform 8.1.4 Resolved Issues
Pega Support - Platform 8.2 Resolved Issues
Apache Tomcat 8 Configuration Reference
Baeldung - Max-Http-Request-Header-Size in Spring Boot