它依赖于浏览器吗?另外,不同的网络堆栈对从请求中获得的数据量有不同的限制吗?


当前回答

推荐的安全性和性能最大:2048个字符

虽然RFC 2616没有正式规定限制,但许多安全协议和建议都声明服务器上的maxQueryStrings应该设置为1024的最大字符限制。而整个URL,包括查询字符串,应该设置为最大2048个字符。这是为了防范web服务器上的慢HTTP请求DDOS/DOS攻击漏洞。这通常会在Qualys Web应用程序扫描程序和其他安全扫描程序上显示为一个漏洞。

请参阅下面使用Web.config的Windows IIS服务器示例代码:

<system.webServer>
<security>
    <requestFiltering>
        <requestLimits maxQueryString="1024" maxUrl="2048">
           <headerLimits>
              <add header="Content-type" sizeLimit="100" />
           </headerLimits>
        </requestLimits>
     </requestFiltering>
</security>
</system.webServer>

这也可以在使用machine.config的服务器级别上工作。

这只是针对基于windows操作系统的服务器,我不确定apache或其他服务器上是否有类似的问题。

注意:限制查询字符串和URL长度可能不能完全防止慢HTTP请求DDOS攻击,但这是可以采取的一个步骤。

在评论中添加一个引用: https://www.raiseupwa.com/writing-tips/what-is-the-limit-of-query-string-in-asp-net/

其他回答

推荐的安全性和性能最大:2048个字符

虽然RFC 2616没有正式规定限制,但许多安全协议和建议都声明服务器上的maxQueryStrings应该设置为1024的最大字符限制。而整个URL,包括查询字符串,应该设置为最大2048个字符。这是为了防范web服务器上的慢HTTP请求DDOS/DOS攻击漏洞。这通常会在Qualys Web应用程序扫描程序和其他安全扫描程序上显示为一个漏洞。

请参阅下面使用Web.config的Windows IIS服务器示例代码:

<system.webServer>
<security>
    <requestFiltering>
        <requestLimits maxQueryString="1024" maxUrl="2048">
           <headerLimits>
              <add header="Content-type" sizeLimit="100" />
           </headerLimits>
        </requestLimits>
     </requestFiltering>
</security>
</system.webServer>

这也可以在使用machine.config的服务器级别上工作。

这只是针对基于windows操作系统的服务器,我不确定apache或其他服务器上是否有类似的问题。

注意:限制查询字符串和URL长度可能不能完全防止慢HTTP请求DDOS攻击,但这是可以采取的一个步骤。

在评论中添加一个引用: https://www.raiseupwa.com/writing-tips/what-is-the-limit-of-query-string-in-asp-net/

RFC 2616(超文本传输协议- HTTP/1.1)规定查询字符串的长度没有限制(章节3.2.1)。RFC 3986(统一资源标识符- URI)也指出没有限制,但指出由于DNS限制,主机名限制为255个字符(第2.3.3节)。

虽然规范没有规定任何最大长度,但实际的限制是由web浏览器和服务器软件施加的。根据研究,不幸的是,在其原来的网站上已经无法找到(它导致了一个看似阴暗的贷款网站),但仍然可以在Boutell.com的互联网档案馆找到:

Microsoft Edge (Browser) The limit appears to be around 81578 characters. See URL Length limitation of Microsoft Edge Chrome It stops displaying the URL after 64k characters, but can serve more than 100k characters. No further testing was done beyond that. Firefox (Browser) After 65,536 characters, the location bar no longer displays the URL in Windows Firefox 1.5.x. However, longer URLs will work. No further testing was done after 100,000 characters. Safari (Browser) At least 80,000 characters will work. Testing was not tried beyond that. Opera (Browser) At least 190,000 characters will work. Stopped testing after 190,000 characters. Opera 9 for Windows continued to display a fully editable, copyable and pasteable URL in the location bar even at 190,000 characters. Microsoft Internet Explorer (Browser) Microsoft states that the maximum length of a URL in Internet Explorer is 2,083 characters, with no more than 2,048 characters in the path portion of the URL. Attempts to use URLs longer than this produced a clear error message in Internet Explorer. Apache (Server) Early attempts to measure the maximum URL length in web browsers bumped into a server URL length limit of approximately 4,000 characters, after which Apache produces a "413 Entity Too Large" error. The current up to date Apache build found in Red Hat Enterprise Linux 4 was used. The official Apache documentation only mentions an 8,192-byte limit on an individual field in a request. Microsoft Internet Information Server (Server) The default limit is 16,384 characters (yes, Microsoft's web server accepts longer URLs than Microsoft's web browser). This is configurable. Perl HTTP::Daemon (Server) Up to 8,000 bytes will work. Those constructing web application servers with Perl's HTTP::Daemon module will encounter a 16,384 byte limit on the combined size of all HTTP request headers. This does not include POST-method form data, file uploads, etc., but it does include the URL. In practice this resulted in a 413 error when a URL was significantly longer than 8,000 characters. This limitation can be easily removed. Look for all occurrences of 16x1024 in Daemon.pm and replace them with a larger value. Of course, this does increase your exposure to denial of service attacks.

不同的网络栈支持不同长度的http请求。根据我的经验,早期的Safari堆栈只支持4000个字符,因此由于USER-STATE的原因,很难处理ASP.net页面。这甚至适用于POST,因此您必须检查浏览器并查看堆栈限制是什么。我认为即使在较新的浏览器上也可能达到极限。我不记得了,但其中一个(我想是IE6)有16位的限制,32,768之类的。