Set limits on incoming HTTP messages, and notify designated administrator roles of a violation.

HTTP request headers and bodies

Limit the number and length of HTTP request headers and bodies accepted from the clients to a minimum. Set tighter endpoint-specific restrictions depending on their function to minimize the attack surface.

Limit the following request attributes:

• Request body size
• Number of request header fields
• Request header fields size
• Request line size
• XML request body size

Server timeout

Tune the connection timeout settings of the server. A higher connection timeout gives the server more time to engage with the application. This increases the likelihood for various types of server attacks, such as Slowloris.

Note: A small value may introduce issues with the legitimate users with slow connections. Set timeout values based on your normal connection statistics.

Tune the following timeout settings:

• Request read timeout
• Keep-alive timeout

Server connections and backlog capacity

Tune the maximum number of simultaneous connections, and increase the capacity of the backlog of pending connections where possible.

Note: The backlog prolongs a denial of service (DoS) attack because it holds incomplete requests (including malicious ones), but reduces the impact of small attacks.

Most web and application servers provide a configuration option for each of these limits. See the server-specific documentation, and review your application needs when adjusting each of these settings.

Considerations

The meaning of "reasonable" varies according to a system's available resources and an application's features and needs. Consider the following:

• A maximum URL size of 2000 characters is considered reasonable and supported by most browsers.

  - Smaller values (256) might interfere with features such as single sign-on.
  

• While a 1 MB limit on HTTP request sizes is reasonable for most applications, it might restrict file upload speeds where applicable.

• Maximum number of concurrent connections:

  - Carefully review the operational environment, hardware, and software resources, such as system memory available to the HTTP server.
  - There is no common value that works for all environments.
  

• Decreasing the keep-alive time-out might have a small performance impact.

  - A value above 60 seconds is not recommended according to [Apache Performance Tuning](http://httpd.apache.org/docs/2.2/misc/perf-tuning.html).
  

For more information about web server security, see Apache Security Tips.

FedRAMP / Moderate Baseline

*_ SC-6: System And Communications Protection | Resource Availability *_
The information system protects the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined security safeguards]].

Imported from SD Elements: https://redhat.sdelements.com/bunits/psse-secure-development/group-3-supporting-and-tooling-offering/openshift-zero-trust-workload-identity-manager/tasks/phase/requirements/311-T35/

Training Modules

Defending Databases

• Common Vulnerabilities