Cap to http.DefaultMaxHeaderBytes

config/config.go

@@ -1,6 +1,7 @@
 package config
 
 import (
+	"net/http"
 	"strings"
 	"time"
 
@@ -95,7 +96,7 @@ func setConfigDefaults(v *viper.Viper) {
 	v.SetDefault("request_limits.max_size_bytes", utils.REQUEST_MAX_SIZE_BYTES)
 	v.SetDefault("request_limits.max_num_values", utils.REQUEST_MAX_NUM_VALUES)
 	v.SetDefault("request_limits.max_ttl_seconds", utils.REQUEST_MAX_TTL_SECONDS)
-	v.SetDefault("request_limits.max_header_size_bytes", 0)
+	v.SetDefault("request_limits.max_header_size_bytes", http.DefaultMaxHeaderBytes)
 	v.SetDefault("routes.allow_public_write", true)
 }
 
@@ -204,10 +205,10 @@ func (cfg *RequestLimits) validateAndLog() {
 		log.Fatalf("invalid config.request_limits.max_num_values: %d. Value cannot be negative.", cfg.MaxNumValues)
 	}
 
-	if cfg.MaxHeaderSize >= 0 {
+	if cfg.MaxHeaderSize >= 0 && cfg.MaxHeaderSize <= http.DefaultMaxHeaderBytes {
 		log.Infof("config.request_limits.max_header_size_bytes: %d", cfg.MaxHeaderSize)
 	} else {
-		log.Fatalf("invalid config.request_limits.max_header_size_bytes: %d. Value cannot be negative.", cfg.MaxHeaderSize)
+		log.Fatalf("invalid config.request_limits.max_header_size_bytes: %d. Value out of range.", cfg.MaxHeaderSize)
 	}
 }
 

config/config_test.go

@@ -868,14 +868,14 @@ func TestRequestLimitsValidateAndLog(t *testing.T) {
 			expectFatal: true,
 		},
 		{
-			description:        "Negative max_num_values, expect fatal level log and early exit",
+			description:        "Negative max_header_size_bytes, expect fatal level log and early exit",
 			inRequestLimitsCfg: &RequestLimits{MaxHeaderSize: -1},
 			expectedLogInfo: []logComponents{
 				{msg: `config.request_limits.allow_setting_keys: false`, lvl: logrus.InfoLevel},
 				{msg: `config.request_limits.max_ttl_seconds: 0`, lvl: logrus.InfoLevel},
 				{msg: `config.request_limits.max_size_bytes: 0`, lvl: logrus.InfoLevel},
 				{msg: `config.request_limits.max_num_values: 0`, lvl: logrus.InfoLevel},
-				{msg: `invalid config.request_limits.max_header_size_bytes: -1. Value cannot be negative.`, lvl: logrus.FatalLevel},
+				{msg: `invalid config.request_limits.max_header_size_bytes: -1. Value out of range.`, lvl: logrus.FatalLevel},
 			},
 			expectFatal: true,
 		},
@@ -1232,6 +1232,7 @@ func getExpectedDefaultConfig() Configuration {
 			MaxSize:       10240,
 			MaxNumValues:  10,
 			MaxTTLSeconds: 3600,
+			MaxHeaderSize: 1048576,
 		},
 		Routes: Routes{
 			AllowPublicWrite: true,

server/server.go

@@ -83,7 +83,7 @@ func newAdminServer(cfg config.Configuration, handler http.Handler) *http.Server
 		Addr:    ":" + strconv.Itoa(cfg.AdminPort),
 		Handler: handler,
 	}
-	if cfg.RequestLimits.MaxHeaderSize > 0 {
+	if cfg.RequestLimits.MaxHeaderSize > 0 && cfg.RequestLimits.MaxHeaderSize < http.DefaultMaxHeaderBytes {
 		server.MaxHeaderBytes = cfg.RequestLimits.MaxHeaderSize
 	}
 	return server