问题
What is the limit on QueryString / GET / URL parameters
回答1:
There is no limit in theory. For HTTP URLs, the HTTP 1.1 specification states:
The HTTP protocol does not place any a priori limit on the length of a URI. Servers MUST be able to handle the URI of any resource they serve, and SHOULD be able to handle URIs of unbounded length if they provide GET-based forms that could generate such URIs. A server SHOULD return 414 (Request-URI Too Long) status if a URI is longer than the server can handle (see section 10.4.15).
But in practice, many clients and servers do only support URLs up to a certain length. The rule of thumb is not to use URLs longer than 2000 characters (percent encoding already taken into account).
回答2:
There is no defined limit. However, RFC 2068 states:
The HTTP protocol does not place any a priori limit on the length of a URI. Servers MUST be able to handle the URI of any resource they serve, and SHOULD be able to handle URIs of unbounded length if they provide GET-based forms that could generate such URIs. A server SHOULD return 414 (Request-URI Too Long) status if a URI is longer than the server can handle (see section 10.4.15). Note: Servers should be cautious about depending on URI lengths above 255 bytes, because some older client or proxy implementations may not properly support these lengths.
回答3:
Although officially there is no limit, many security configuration recommendations state that maxQueryStrings on a server should be set to a maximum character limit of 1024 while the entire url including the query string should be set to a max of 2048 characters. This is to prevent the Slow HTTP Request vulnerability on a web server to prevent slow DDOS attacks that shows up on the Qualys Web Application Scanner and other security scanners.
Please see the below code for Windows IIS Servers with Web.config:
<security>
<requestFiltering>
<requestLimits maxQueryString="1024" maxUrl="2048">
<headerLimits>
<add header="Content-type" sizeLimit="100" />
</headerLimits>
</requestLimits>
</requestFiltering>
</security>
来源:https://stackoverflow.com/questions/3091485/what-is-the-limit-on-querystring-get-url-parameters