10.2 Ensure the LimitRequestFields Directive is Set to 100 or Less

Information

The LimitRequestFields directive limits the number of fields allowed in an HTTP request.

Rationale:

The limiting of the number of fields is helpful so that the web server can prevent an unexpectedly high number of fields from being passed to a potentially vulnerable CGI program, module or application that would have attempted to process the request. Of course, the underlying dependency is that we need to set the limits high enough to not interfere with any one application on the server, while setting them low enough to be of value in protecting the applications. Since the configuration directives are available only at the server configuration level, it is not possible to tune the value for different portions of the same web server. Please read the Apache documentation carefully, as these requests may interfere with the expected functionality of some web applications.

Solution

Perform the following to implement the recommended state:

Add or modify the LimitRequestFields directive in the Apache configuration to have a value of 100 or less. If the directive is not present the default depends on a compile time configuration, but defaults to a value of 100.

LimitRequestFields 100

Default Value:

LimitRequestFields 100

See Also

https://workbench.cisecurity.org/files/3021