We are using http2 and we have some requests with many cookies and this results in us exceeding the maxHeaderSize limit. This has taken a very long time to track down as tomcat does not log anything under these conditions - prior to http2 I'm pretty sure this situation was logged (at least once). The code in question is: if (hpackDecoder.isHeaderSizeExceeded(headerReadBuffer.position())) { StreamException headerException = new StreamException(sm.getString( "http2Parser.headerLimitSize", connectionId, Integer.valueOf(streamId)), Http2Error.ENHANCE_YOUR_CALM, streamId); hpackDecoder.getHeaderEmitter().setHeaderException(headerException); } Note: it is logged if I turn on debug logging but we can't do that in production. o.a.coyote.http2.Http2UpgradeHandler : Connection [1], Stream [1], Error [ENHANCE_YOUR_CALM], Message [Connection [1], Stream [1], Total header size too big], RST (closing stream) Could this be logged as a warning, so we can at least detect this situation in production?
Logging every instance of this opens up the potential for a DoS. We can look at the possibility of mirroring the logging used for HTTP/1.1 which logs via a UserDataHelper instance.
Logging at least the first instance would be much more helpful than the current situation.
Fixed in: - 10.1.x for 10.1.0-M18 onwards - 10.0.x for 10.0.24 onwards - 9.0.x for 9.0.66 onwards - 8.5.x for 8.5.83 onwards