It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Configuring Request Limits

  • Last updated on

Request limits define the validation criteria for incoming requests by enforcing size limits on HTTP request header fields. The requests that have fields larger than the specified maximums are dropped. Properly configured limits mitigate buffer overflow exploits, preventing Denial of Service (DoS) attacks.

Request Limits are enabled by default, requests that exceed the specified length are assumed buffer overflow attacks. The defaults are normally appropriate, but you might choose to change one or more of the default values under certain conditions.

When to change default values:

Defaults can be modified if the service or the server may have problems lengths smaller than the defaults. When Action is set to Deny and Log or Deny with no Log for a service under URL: Allow/Deny Rules on the WEBSITES > Allow/Deny page, the Barracuda Web Application Firewall continues to examine the request till it hits the default length configured. Smaller limits will lead to a slight performance improvement since a smaller number of bytes is parsed before denying requests. The defaults can be changed to bigger values if the original defaults result in false alarms.

Steps to Configure Request Limits
  1. Go to the SECURITY POLICIES > Request Limits page.
  2. Select the policy from the Policy Name drop-down list for which you want to modify request limits settings.
  3. In the Request Limits section, specify values for the following fields:
    1. Enable Request Limits - When set to Yes, size limit checks are enforced on request headers.
      • Values: Yes, No
      • Recommended: Yes
    2. Max Request Length - Enter the maximum allowable request length. This includes the Request-Line and all HTTP request headers (for example, User Agent, Cookies, Referer etc.) The request length limit does not include the request body, which is typically present for POST requests. Any request, whose length exceeds this limit, will be denied.
      • Range: 1 byte to 65536 bytes.
      • Recommended: 32768 bytes
    3. Max Request Line Length – Enter the maximum allowable length for the request line. The request line consists of the method, the URL (including any query strings) and the HTTP version. Example:
      GET /index.cgi?page=home HTTP/1.1
      In the above request line, GET is the method, /index.cgi?page=home is the URL and HTTP/1.1 is the version. The length of the entire line is considered when checking for request line length.
      • Range: 1 byte to 65536 bytes.
      • Recommended: 4096 bytes
    4. Max URL Length – Enter the maximum allowable URL length including the query string portion of the URL.
      • Range: 1 byte to 128 kilobytes. No value (empty) implies unlimited.
      • Recommended: 4096 bytes
    5. Max Query Length – Enter the maximum allowable length for the query string portion of the URL.
      • Range: 1 byte to 60000 bytes. No value (empty) implies unlimited.
      • Recommended: 4096 bytes
    6. Max Number of Cookies – Enter the maximum number of cookies to be allowed.
      • Range: 1 to 1024. If no value is provided or if the field is left empty, it indicates unlimited value.
      • Recommended: 40
    7. Max Cookie Name Length – Enter the maximum allowable length for cookie name.
      • Range: 1 byte to 1024 bytes. No value (empty) implies unlimited.
      • Recommended: 64 bytes
    8. Max Cookie Value Length – Enter the maximum allowable length for a cookie value. Requests with cookie values that are larger than the defined setting are denied.
      • Range: 1 byte to 32768 bytes. No value (empty) implies unlimited.
      • Recommended: 4096 bytes
    9. Max Number of Headers – Enter the maximum number of headers in a request. If there are more headers than this limit in the request, the request is denied.
      • Range: 1 to 40. No value (empty) implies unlimited.
      • Recommended: 20
    10. Max Header Name Length – Enter the maximum allowable length for header name.
      • Range: 1 byte to 1024 bytes. No value (empty) implies unlimited.
      • Recommended: 32 bytes
    11. Max Header Value Length – Enter the maximum allowable length for any request header. A request header could either be an HTTP protocol header such as "Host," "User-Agent" and so on, or a custom header such as "IIS Translate". A request may contain any number of these headers. 

      • Range: 1 byte to 64 kilobytes. No value (empty) implies unlimited.
      • Recommended: 1024 bytes

    This setting does not apply to cookies. Cookie lengths are instead controlled by the cookie related parameters, Max Cookie Name Length, and Max Cookie Value Length.

  4. Click Save
    .