Skip to content

Add middleware for header count and header list item limits in limits plugin #8285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 17, 2025
Merged

Add middleware for header count and header list item limits in limits plugin #8285

merged 3 commits into from
Sep 17, 2025

Conversation

Copy link

Copilot AI commented Sep 17, 2025
edited
Loading

Overview

Expands the middleware functionality in the limits plugin to include two new header-based request limits, building on the foundation established in PR #8269.

New Features

1. Request Header Count Limit

Adds http_max_request_headers configuration to limit the total number of headers in an HTTP request:

limits:
  http_max_request_headers: 100  # Reject requests with >100 headers

2. Header List Items Limit

Adds http_max_header_list_items configuration to limit the number of values within individual header fields:

limits:
  http_max_header_list_items: 5  # Reject headers with >5 comma-separated values

Both limits are opt-in (when not specified, no limit is enforced) and respond with 431 Request Header Fields Too Large when exceeded.

Implementation Details

Middleware Architecture

  • RequestHeaderCountLimitLayer: Enforced at the middleware level, counts total headers per request
  • RequestHeaderListItemsLimitLayer: Counts individual values within each header field (e.g., Accept: json, xml, html = 3 items)
  • Integrated into existing limits plugin service stack using tower service patterns
  • Consistent error handling with existing body limit middleware

Error Response Format

When limits are exceeded, returns standard GraphQL error format:

{
  "errors": [
    {
      "message": "Request header fields too many",
      "extensions": {
        "details": "Request header fields too many",
        "code": "INVALID_GRAPHQL_REQUEST"
      }
    }
  ]
}

Distinction from Server-Level Limits

These middleware-level limits complement existing server-level configuration (server.http.max_headers):

  • Server-level: Enforced by HTTP implementation, protocol-specific, maximum performance
  • Middleware-level: Enforced by Apollo Router, consistent across HTTP versions, configurable routing logic

Testing

  • Unit tests: Verify middleware behavior with various header configurations
  • Integration tests: End-to-end validation through router request pipeline
  • Fixtures: Test configuration files for different limit scenarios

Documentation

Updated docs/source/routing/security/request-limits.mdx with:

  • Configuration examples for both new limits
  • Explanation of middleware vs server-level limit differences
  • JSON response format examples
  • Usage recommendations

Backward Compatibility

  • All changes are additive and opt-in
  • Existing functionality unchanged
  • No breaking changes to configuration or API

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • esm.ubuntu.com
    • Triggering command: /usr/lib/apt/methods/https (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

This pull request was created as a result of the following prompt from Copilot chat.

Expand the middleware functionality added in PR #8269 to address additional linked issues. Specifically:

  1. Add middleware to limit the number of headers in a request.
  2. Add middleware to limit the number of items in a header list.

Ensure that the new middleware integrates seamlessly with the existing implementation of the max header size middleware. Provide appropriate configuration options for each new middleware feature, such as default values and overrides. Update documentation and unit tests to cover the new functionalities.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@apollo-cla
Copy link

apollo-cla commented Sep 17, 2025

@Copilot: Thank you for submitting a pull request! Before we can merge it, you'll need to sign the Apollo Contributor License Agreement here: https://contribute.apollographql.com/

@apollo-librarian
Copy link

apollo-librarian bot commented Sep 17, 2025
edited
Loading

✅ Docs preview ready

The preview is ready to be viewed. View the preview

File Changes

0 new, 1 changed, 0 removed 
* graphos/routing/(latest)/security/request-limits.mdx

Build ID: e3b3077edcf1cd2a71f32d95
Build Logs: View logs

URL: https://www.apollographql.com/docs/deploy-preview/e3b3077edcf1cd2a71f32d95

Copilot AI changed the title [WIP] Add middleware for header count and header list item limits Add middleware for header count and header list item limits in limits plugin Sep 17, 2025
Copilot AI requested a review from smyrick September 17, 2025 03:49
@smyrick smyrick marked this pull request as ready for review September 17, 2025 03:53
@smyrick smyrick requested review from a team as code owners September 17, 2025 03:53
@smyrick smyrick merged commit 20d2a20 into copilot/fix-5277 Sep 17, 2025
8 of 10 checks passed
@smyrick smyrick deleted the copilot/fix-fe8068d1-7254-4876-b8db-f103bec59540 branch September 17, 2025 03:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smyrick smyrick Awaiting requested review from smyrick

Assignees

@smyrick smyrick

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@apollo-cla @smyrick