Problem

When Mapp Cloud receives any request with an HTTP header larger than 8096 bytes, the request will be ignored and an error 400 (Bad Request) or 413 (Payload Too Large) like the error below will be returned:

Bad Request
Your browser sent a request that this server could not understand.
Size of request header field exceeds server limit


These errors may occur in response to a simple GET request to resources such as a read-online page, hosted image, or tracked redirection links that normally are expected to work instantly. What is more, some people may encounter this error on some devices but not on others, even when the link is not device-dependent.

This can be caused by excessively large cookies being set on the client's device by your website, using a catch-all domain, causing Mapp Cloud to receive unexpected and large cookie data inside an incoming HTTP request, and will cause Mapp Cloud web servers to return the error codes above if the complete HTTP header size exceeds 8 kb.

Why this happens

When a browser requests a URL from a web server, it will also send several pieces of information to the server in the HTTP header. These headers can contain dates and times, the type of browser making the request, and any cookies that are valid for the domain in the URL.

Cookies are set to match a specific domain - and possibly on subdomains of that domain - along with an optional URL path.

When a browser connects to a server, it  checks if there are any cookies that contain a domain matching the domain in the URL, and if so, it then checks if must match any paths in the URL. If the cookie's domain match rule corresponds to a URL being visited, and if there are any optionally set paths that also match, then the cookie and data will be appended to the HTTP header and sent to the server.

As some Mapp Cloud products depend on a sub-domain, if a website implements cookies with a catch-all rule that is valid for any subdomain of the parent domain, then cookies set by your web server will also be sent on any connection to the delegated domain on Mapp Cloud - even if Mapp Cloud has no use for that data. This may even be an unexpected consequence.

Issues will then arise if you set cookies that cause the HTTP header to exceed 8096 bytes of data, set the cookie to match any subdomains of your parent domain, and this also contains a domain delegated to Mapp Cloud.

Recommendations 

In general browser performance will be impacted as every request to the domain will start with a large cookie being uploaded to the webserver, and potentially also to delegated domains of other services, such as Mapp Cloud which may at best have no use for the data, and at worse may have to reject the request with an error (see HTTP compliance below).

Note that some tracking and consent services set large cookies (1 to 2 kb), and are set for all subdomains with a wildcard, even if you only use for example the www for all your standard web traffic, so you may want to consider setting an explicit domain that only matches the subdomain you really need to use.

We, therefore, recommend that you attempt to:

  • Limit the size of client-side cookies, and only store what you absolutely need to store on the client device
  • Use the cookie PATH directive and avoid sending cookies to every HTTP server request, especially if you use a wildcard subdomain in the cookie domain.
  • Set cookie URL with explicit domains and subdomains, eg: do not set *.example.com but set specifically, for example, mobile.example.com and www.example.com which will handle data specifically for those subdomains although this will mean you cannot share a cookie between your mobile and www domains.

If these mitigations are not possible, Mapp Cloud may be able to assist in filtering out cookies that you have set on a browser but that may not currently be accepted or needed by Mapp. Please contact your CSM for a detailed review and cost.

HTTP compliance

The HTTP protocol does not define a header size limit, although it does note that for practical purposes, HTTP servers may impose such a limit, and defines how the server must respond to this situation, as noted in the current HTTP 1.1 protocol, RFC 7230, section 3.2.5. Field Limits:

A server that receives a request header field, or set of fields, larger than it wishes to process MUST respond with an appropriate 4xx (Client Error) status code.

When Mapp Cloud receives any request with an HTTP header larger than 8096 bytes, the request will be ignored and an error 400 (Bad Request) or 413 (Payload Too Large) will be returned.

More Information

Using HTTP cookies: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

List of HTTP status codes: https://en.wikipedia.org/wiki/List_of_HTTP_status_codes

HTTP 1.1 protocol: https://www.ietf.org/rfc/rfc7230.txt