414 URI Too Long
The 414 URI Too Long HTTP status code indicates an unexpected or over-long request message body. In some environments, a lengthy request URI may trigger 431 Request Header Fields Too Large, especially in HTTP/2, where the request-URI follws the same syntax as a header (see Implementations below).
Writing responses (servers)
On the Web and in HTTP, URIs are allowed to be indefinitely long; there is no defined limitation on URI length. However, at some point, long URIs can become technically infeasible, causing performance issues, excessive resource consumption, and can even be a vector for attacks against cryptographic systems if compressed over the wire. There are two triggers for this status code:
Parsing terminated
If the request-line is being parsed and the client has sent more characters than the server-defined maximum, terminate parsing, return 414 URI Too Long
with Connection: close
, and close the stream.
Request fully parsed
If the server fully parsed the request headers, the server may still indicate one of the headers is too long to be used in processing the request.
Reading responses (clients)
The resource the client is trying to request probably does not exist, it does not make sense to re-try this request, but a request for a different resource could be considered instead.
Overview table
- Name
- 414
- Message
- 414 URI Too Long
- Description
- The request URI is too large.
- Specification
- RFC 7231: HTTP/1.1 Semantics and Content ยง6.5.12. 414 URI Too Long
Example
HTTP/1.1 414 URI Too Long
Implementations
Node.js
Node.js has a builtin HTTP parser that will respond if a header line exceeds the maximum allowed length. It treats the request-line the same as a header-line, see 431 Request Header Too Long for setting this limit and generating a custom response when handling this error.
Apache HTTPD
Apache HTTPD returns 414 URI Too Long
when the total length of the request line, including HTTP method and version, but excluding the line terminator, is greater than the configured setting for LimitRequestLine
, which defaults to 8190 bytes.
See the LimitRequestLine Directive and the DEFAULT_LIMIT_REQUEST_LINE
constant for implementation details.