I am not sure if the Spring Boot team would be willing to do this but some time ago in the nodejs ecosystem and some other ecosystems they typically default the max http request header size to 16KB: https://github.com/nodejs/node/pull/32520
Case for this: Spring Boot is used extensively in the backend while up the stack it's not uncommon in various architectures to see midtier apps/front ends use different technologies like nodejs that by default accept larger header sizes by default. Obviously this could always be a moving target but 8KB does seem a little aggressive and I think it's that way to minimize DDoS attacks.
Anyways I am not sure what your thoughts are but figured it would be good to ask if we could consider increasing the default max header size from 8KB to 16KB
For some more context and past discussions you can see here https://github.com/nodejs/node/issues/27645
...and yes I am aware another approach is to just always set this property but just seeing if we think 16KB would be a reasonable default
Comment From: bclozel
I think we're just going with the defaults that popular servers are using these days: * Tomcat * Jetty * Reactor Netty
It would be strange for Spring Boot to pick defaults considered as "less safe" than what supported servers chose.
Comment From: wilkinsona
I agree with Brian. I thought we had a test to check that our default aligns with Tomcat's default, but I can't find it. I've opened https://github.com/spring-projects/spring-boot/issues/46977 to add one so that we can consider updating Boot's default should Tomcat change its default in the future.
/cc @markt-asf.
Comment From: mbazos
Thanks yeah I think that's probably a good decision to align with the popular servers and having a check that spring boot default is a good idea. Thanks for getting back to me on this so quickly