Why am I getting "Bad Request (Request Header Too Long)" error when going through the proxy?

Available Languages

Download Options

PDF (2.9 KB)
View with Adobe Reader on a variety of devices
ePub (88.3 KB)
View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle) (71.2 KB)
View on Kindle device or Kindle app on multiple devices

Updated:August 12, 2014

Document ID:118230

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Question:

Why am I getting "Bad Request (Request Header Too Long)" error when going through the Cisco Web Security appliance (WSA)?

Environment:

Cisco Web Security Appliance (WSA) any AsyncOS version

The error "Bad Request (Request Header Too Long)" is seen when the HTTP request header exceeds the "header size limit" set on the destination server.

Normal HTTP requests don't hit this limit. However in certain cases, like the destination server requiring authentication, the HTTP request header may grow, approaching the limit set on the destination server. If the HTTP request header exceeds the header size configured on the destination server, then the server will send "Bad Request (Request Header Too Long)" HTTP response.

When going through the WSA, WSA will add additional headers, such as "Via" header, to the HTTP request. The headers added by WSA are typically optional HTTP headers which comply with HTTP RFC. On rare occasions, the extra header which the proxy adds may cause the header limit to be exceeded on destination server side.

The "Via" header can be disabled on our Web Security Appliance (WSA) from the Web GUI under:

"Security Services" > "Web Proxy" > "Edit Settings"
Under "Headers ..", set the option to "Do not Send" for Via headers

In AsyncOS versions 7.5 and above, we specifically disable the just the "Request Side VIA:" header which would be sent to the destination servers.

Typically, the header size limit should also be configurable on the web server.

Configuration guide for changing the limit on IIS server: http://support.microsoft.com/kb/955585

Revision History

Revision	Publish Date	Comments
1.0	08-Aug-2014	Initial Release

Contributed by Cisco Engineers

Kei Ozaki and Siddharth Rajpathak
Cisco TAC Engineers.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

This Document Applies to These Products

Secure Web Appliance