Set MaxResponseHeadersLength to a reasonable size

Metadata

ID: csharp-best-practices/maxresponseheaderslength-size

Language: C#

Severity: Notice

Category: Best Practices

Description

The MaxResponseHeadersLength property in the HttpClientHandler class sets the maximum length of the response headers. This rule is important because setting this property to an excessively large value can lead to performance issues, as it allows for the possibility of very large headers to be processed and stored in memory.

Large headers can also lead to security vulnerabilities, as they can be exploited in Denial of Service (DoS) attacks. By setting this property to a reasonable size, such as 64KB or 128KB, you can limit the amount of system resources used to process headers, improving your application’s performance and security.

How to Remediate

Set the MaxResponseHeadersLength property to a reasonable size. Avoid setting this property to excessively large values. If your application needs to handle larger headers on a regular basis, consider other ways of processing the data that don’t involve storing the entire header in memory.

Non-Compliant Code Examples

HttpClientHandler handler = new()
{
    // too large, larger than 128KB
    MaxResponseHeadersLength = 512

};

Compliant Code Examples

HttpClientHandler handler = new()
{
    MaxResponseHeadersLength = 1
};
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security
PREVIEWING: aleksandr.pasechnik/svls-6807-lambda-fips