Q&A: what is the maximum header length allowed (WAF policy module - Illegal Header Length)?


  • On a WAF policy, what is the maximum header length allowed?
  • How is the value calculated and violation itself triggered?
  • Is this a configurable option on a WAF policy or hard-coded into the system?



  • Silverline Managed WAF
  • WAF Policy / Policies
  • Module / Attack Signature



  • The default maximum length is 8192 bytes.
  • The system calculates and enforces the HTTP header length based on the sum of the length of the HTTP header name and value. Requests with headers that are longer than the maximum length cause an Illegal header length violation.
  • This module is not enabled by default in Blocking Phases but can be enabled if required.
  • The 'Max HTTP Header Length' must be less than 8192 bytes (8K) and greater than 0.


Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request