6.6 Control the maximum size of a POST request that will be parsed for parameter

Information

The maxPostSize attribute controls the maximum size of a POST request which will be parsed for parameters. Setting a proper size is recommended to reduce DOS attack.

Rationale:

The maxPostSize value is the maximum size in bytes of the POST which will be handled by the container FORM URL parameter parsing. The parameters are cached for the duration of the request. Limit its size to reduce exposure to a DOS attack.

Solution

Set the maxPostSize attributes to each Connector specified in $CATALINA_HOME/conf/server.xml per requirement.

<Connector
...
maxPostSize=2097152
...

Impact:

Disabling the maxPostSize may increase the risk for a DOS attack.

Default Value:

2097152 (2 MB)

References:

https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html

https://tomcat.apache.org/tomcat-8.5-doc/security-howto.html

See Also

https://workbench.cisecurity.org/files/2506