Recommended value for maxHttpHeaderSize in Tomcat

JohnnyG3 · February 24, 2025, 11:09pm

Hello,

Is there any recommendations for setting maxHttpHeaderSize in Tomcat?

MarijeSchillern · March 17, 2025, 6:05pm

@JohnnyG3

This is a GenAI-powered tool. All generated answers require validation against the provided references.

Default Values

The default maxHttpHeaderSize in Apache Tomcat varies depending on the connector type:

For NIO and NIO2 connectors: 10,000 bytes
For APR/native connectors: 8,192 bytes (8KB)

Recommended Values for Pega Applications

According to Pega Support documentation, the recommended minimum value for maxHttpHeaderSize in Pega applications is 16KB (16,384 bytes). This recommendation is based on an update that increased the default max header size used by stream data set REST service from 8KB to 16KB, as applications often have HTTP headers containing numerous cookies and meta-information that can exceed the 8KB default.

General Best Practices

For most enterprise applications, security experts and Tomcat administrators typically recommend setting the maxHttpHeaderSize to 65,536 bytes (64KB). This provides sufficient headroom for complex applications while still maintaining reasonable security constraints.

Configuration Method

To implement this change, you would need to modify your Tomcat server.xml file by adding or updating the maxHttpHeaderSize parameter in the Connector configuration:

<Connector port="8080" protocol="HTTP/1.1"

           maxHttpHeaderSize="16384"

           ... other connector settings ... />

Security Considerations

While increasing the header size can resolve issues with applications that use larger headers (like those with complex authentication mechanisms or numerous cookies), it’s important to balance this against potential security implications. Setting an unnecessarily large value could potentially expose your system to certain types of attacks. The recommended 16KB for Pega applications or general 64KB recommendation provide a reasonable balance between functionality and security.

Testing Recommendation

Before implementing any changes to production systems, it’s always best practice to test the configuration change in a staging environment to ensure it resolves your specific requirements without introducing any issues.

References:
Pega Support - Platform 8.1.4 Resolved Issues
Pega Support - Platform 8.2 Resolved Issues
Apache Tomcat 8 Configuration Reference
Baeldung - Max-Http-Request-Header-Size in Spring Boot

Conversation		Replies	Views
Maximum file size that can be sent and received via Pega REST Service / Connector General system-administration , 8-4-1	0	1453	February 16, 2021
Constellation tips: how to reference a custom http header included in a dxapi call General pega-platform , constellation , java-and-activities , dx-api , 24-2	1	58	October 7, 2025
Set up HTTPS in Tomcat to use Pega Constellation Knowledge Share user-experience , constellation , pega-delivery-leader , sales-consultant , sales-manager , senior-system-architect , business-architect , solutions-consultant , solutions-consulting-manager , solutions-engineer , system-architect , lead-system-architect , experience-designer , citizen-developer , team-lead , ui-solutions-developer , system-administration , case-management , cloud-services , devops , project-delivery , updates , installation-and-deployment , pega-cloud , enterprise-application-development , financial-services , manufacturing , government , insurance , cross-industry , other-industry , consumer-services , communications-and-media , healthcare-and-life-sciences , pega-infinity , system-cloud-ops-administrator , dev-designer-studio	0	926	August 9, 2024
VA Scan remediation - HSTS Missing From HTTPS Server (RFC 6797) - INC-A21729 General solutions-consultant , healthcare-and-life-sciences , 7-4	2	284	January 30, 2024
Pega 8.7.4 in Tomcat 10 User Experience user-experience , security , data-integration , installation-and-deployment , 8-7-4	9	436	January 19, 2024