Property max-header-size appears to only apply to request headers sent to app

[Greg-Eigen]

Expected Behavior

Micronaut allows overriding the max header size via the following property: micronaut.server.netty.max-header-size

Documentation description of this property is: "Sets the maximum size of any one header. Default value (8192)."

Expected/hoped behavior was that the value of this property would apply to all http requests and responses managed by the running application.

Actual Behaviour

My observation is that the value of micronaut.server.netty.max-header-size is being applied only to the request headers sent to the running application, but not the following:

1. response headers returned from the app
2. request headers sent from the app to another http service
3. response headers returned from another http service to the app

Steps To Reproduce

To reproduce the behavior described in scenario 1 above:

1. Set the value of micronaut.server.netty.max-header-size = 80
2. Create a simple app that contains a Controller that returns an HttpResponse including a header that is > 80bytes
3. Run the app
4. Via Curl, send request to the app. Response code = 200 OK
5. Conclusion drawn (and also validated via debugging and watching the execution flow) is that the default value of max-header-size (8192) is being used to measure response headers size against, instead of the custom value of max-header-size

To reproduce the behavior described in scenarios 2 and 3 above:

1. Set the value of micronaut.server.netty.max-header-size = 80
2. Create an app that contains a Client that makes a request to another http service, including a header that is > 80bytes. Also ensure that http service returns a response header that is > 80 bytes.
3. Run the app
4. Via Curl, send request to the app. Response code = 200 OK
5. Conclusion drawn (and also validated via debugging and watching the execution flow) is that the default value of max-header-size (8192) is being used to measure headers sent to and received from another http service, instead of the custom value of max-header-size

Environment Information

JDK 11

Example Application

No response

Version

4.7.14

[graemerocher]

I don't see this as a bug. The setting is specifically about the server and inbound headers. What you are asking for is additional features to limit outbound headers some of which relate to the client.

[Greg-Eigen]

Yeah i had considered as much. Looks like you've labelled this as a being considered for a future enhancement, which I appreciate and will continue to watch to see what you decide.
FWIW we have a scenario where we are adding a header with many values to the response which in some cases (depending on the number of item ids that are applicable) can exceed the default 8kb header limit (!) which results in an error. So at first we just increased the value of max-header-size hoping that would alleviate our problem but as noted it does not. :)

[yawkat]

@Greg-Eigen I don't think there is a limit for header size during encoding. If there is, and it isn't configurable, that's a bug. Can you make a reproducer