In the in-process HTTP server, by receiving only the request data that is less than a constant size, you can reject the receipt of invalid request data, control the load on the server, and maintain stable operations.

Set the following items to implement access control by limiting the request data size:

• Limiting the length of the request line
  Control the access by setting an upper limit on the length of the request line. The length of a request line includes the HTTP method, URI (including the query string), the HTTP version, and the linefeed (2 bytes) indicating the end of the request line.
  If the length of the received request line exceeds the upper limit, an error of status code 414 is returned to the Web client.
  
• Limiting the number of HTTP headers
  Control the access by setting the upper limit for the number of HTTP headers included in the HTTP request.
  If the number of HTTP headers included in the received HTTP request exceeds the upper limit, an error of status code 400 is returned to Web client.
  
• Limiting the request header size
  Control access by setting the upper limit for the request header size of the HTTP request.
  If the HTTP header size of the received HTTP request exceeds the upper limit, an error of status code 400 is returned to Web client.
  
• Limiting the request body size
  Control access by setting the upper limit for the body size of the HTTP request. In the in-process HTTP server, the body size of the HTTP request is determined by the value of the Content-Length header included in the request header.
  If the body size of the HTTP request exceeds the upper limit, an error of status code 413 is returned to Web client.
  When the request body is sent in a chunk format, the data up to the specified upper limit is read inside the servlet. If the data exceeds the upper limit, an exception (IOException) is thrown in the servlet, but the processing of the servlet continues. Based on the result of data read up to the specified upper limit in the client that sent the request, the response created by the application is returned.
  

  Hint

  If the gateway device such as SSL accelerator and load balancer exist or if the proxy server is deployed and the gateway equipment and proxy server have the functionality for controlling the request data size, you must set a value less than the value set in the control functionality.