Does IIS6 truncate HTTP headers at a hard-coded limit?

  • Article

Question:

Using IIS the HTTP_ACCEPT header server variable received from the client appears to have a hard coded limit of 259 characters. This is causing problems when using a Windows Mobile 5 Smartphone which has a longer string than 259 characters which is getting truncated. The phone then receives a 406 error saying that e.g. HTML content is not acceptable. I can hack the registry on my phone but I would rather there was a fix in IIS to get round this limit so that my site can be used by others with this type of phone. Is there a patch or a hotfix or a service pack level I should know about?

Answer:

I cannot reproduce your claim on either Windows Server 2003 RTM or with Service Pack 1 installed. I think the issue is outside of IIS.

Using WFetch from IIS Diagnostics Toolkit, I am able to successfully send Accept: header of up to ~16K in length (the server-side limit depends on HTTP.SYS settings for MaxRequestBytes [i.e. max size of entire request] and MaxFieldLength [i.e. max size of a given request line, like the Accept: header], both of which default to 16K) as well as retrieve the complete header value using HTTP_ACCEPT in ASP.

Since I accomplished this on a default system, I presume the observed difference is due to non-default configuration of the IIS6 server that you are using. My guess at the issue involves custom ISAPI DLLs running on your server. I tried a couple of popular configurations, like ASP.Net 2.0 ISAPI configured as Wildcard Application mapping as well as my own test ISAPI Filter, and I did not see any issues with large Accept: (or any) header, so I do not believe the ISAPI interface is involved.

Perhaps your managed hosting provider has some 3rd party security ISAPI DLL which intentionally truncates header lengths. For example, ISAPI Filter or ISAPI Extension configured as a Wildcard Application mapping can filter and truncate request headers. Or the intervening network between your client and server imposes a limit on request header length.

At this point, you should probably contact your managed hosting provider regarding their server and network configuration and have them investigate what is going on. Based on my observations and investigation, I do not believe IIS6 truncates HTTP headers like the Accept: header on its own.

//David