TLDR: AWS ALB incorrectly returns an HTTP 502 error when HTTP headers are too large, instead of the expected HTTP 431.
Just wanted to note that we’ve discovered a small bug in AWS’ ALB. When making an HTTP/1.x request, there exist size limits that are hard limits which cannot be changed. As listed here, they are:
- Request line: 16 K
- Single header: 16 K
- Whole header: 64 K
Based on RFC-6585, the error that should be returned to the client in case of having the headers exceed the limits is the 431 Request Header Fields Too Large error. The RFC states:
The 431 status code indicates that the server is unwilling to process the request because its header fields are too large. The request MAY be resubmitted after reducing the size of the request header fields.
It can be used both when the set of request header fields in total is
too large, and when a single header field is at fault. In the latter case, the response representation SHOULD specify which header field was too large.
However, AWS ALB sometimes returns HTTP 400 Request Header Or Cookie Too Large (actually, it should have at least been “Bad Request”) and sometimes HTTP 502 Bad Gateway error in such cases. We reproduced this behavior both in the browser and by using manual curl commands.
You can see more information about the investigation reaching this conclusion here.