10.2 Ensure the Maximum Request Headers Per Request Is Set Properly

Information

The 'LimitRequestFields' directive sets the maximum limit on the number of HTTP request headers allowed per request. It is recommended that the 'LimitRequestFields' directive be set to '100' or less.

Rationale:

Limiting the number of headers per request may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server.

Solution

Perform the following to implement the recommended state:

Add or modify the 'LimitRequestFields' directive in the Apache configuration to have a value of '100' or less. If the directive is not present, the default depends on a compile time configuration, but defaults to a value of '100'.

LimitRequestFields 100

See Also

https://workbench.cisecurity.org/files/2020

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|9

Plugin: Unix

Control ID: 21420284e57012e8ea1ca708351acdffa864e078e650deb1af8ddef3f41bb5b9