Skip to content

Commit

Permalink
chore(api): increase maxHeaderSize
Browse files Browse the repository at this point in the history
  • Loading branch information
@pseudoyu
pseudoyu committed Dec 4, 2024
1 parent 4f0a740 commit b138698
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions lib/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ const server = serve({
fetch: app.fetch,
hostname: config.listenInaddrAny ? '::' : '127.0.0.1',
port,
serverOptions: {
maxHeaderSize: 1024 * 64,

This comment has been minimized.

Sign in to view

Copy link
@TonyRL

TonyRL Dec 5, 2024

Collaborator

@pseudoyu This brings some degree of CVE-2018-12121. Testing (see nodejs/node#27645 (comment)) shows that the maximum header size is roughly proportional to memory usage during exploitation attempts. A 64 KB maximum header size could lead to a peak memory usage of approximately 2.8 GB, easily causing a denial-of-service condition on systems with only 1 or 2 GB of RAM.

Setting the maximum header size to 32 KB, a double of the default of 16 KB, should address these edge cases; quadrupling the default seems excessive.

This comment has been minimized.

Sign in to view

Copy link
@pseudoyu

pseudoyu Dec 5, 2024

Author Collaborator

Modified. Thank you. I made this change due to receiving a "431 Request Header Fields Too Large" error when calling "http://localhost:1200/api/category/popular?lang=en"
},
});

export default server;

0 comments on commit b138698

Please sign in to comment.