TL;DR — Quick Summary
Fix the Nginx '400 Bad Request: Request Header Or Cookie Too Large' error. Learn how to configure large_client_header_buffers in Nginx, Kubernetes, and Docker.
Note: This article was originally published in 2014. Some steps, commands, or software versions may have changed. Check the current NginX documentation for the latest information.
Resolved: 400 Bad Request - Request header or Cookie too large when using NginX
One of the most frustrating issues developers encounter when putting Nginx in front of a modern web application is the “400 Bad Request - Request Header Or Cookie Too Large” error.
This error typically appears out of nowhere—your site works perfectly until a user browses too many pages, logs into an SSO provider (like OAuth or SAML), or accumulates too many tracking cookies. Suddenly, Nginx throws a 400 Bad Request, while the application backend never even sees the traffic.
What Causes the “Cookie Too Large” Error?
When a browser makes an HTTP request to your Nginx server, it sends all cookies associated with that domain in the HTTP headers. Modern applications often store large JSON Web Tokens (JWTs), bulky session state, or dozens of analytics tracking cookies.
Nginx allocates memory buffers to read these incoming client requests. By default, Nginx sets the size of one buffer to 8K (8192 bytes) on most platforms.
If all the cookies combined into the Cookie: header (or any single header line) exceed this 8KB limit, Nginx immediately drops the request and returns a 400 Bad Request error. It refuses to process the request to protect against potential buffer overflow attacks.
How to Fix the Error in Nginx (nginx.conf)
The solution is simple: you need to explicitly tell Nginx to allow larger headers by using the large_client_header_buffers directive.
This directive is valid inside the http or server context blocks.
server {
listen 80;
server_name example.com;
# Increase buffer size to handle large cookies (e.g. JWT tokens)
# Syntax: large_client_header_buffers <number> <size>;
large_client_header_buffers 4 16k;
location / {
proxy_pass http://backend;
}
}Crucial Detail: The request line (e.g.,
GET /very-long-url HTTP/1.1) cannot be larger than the size of one buffer. Likewise, the longest single header line (which includes your massiveCookie:header) must not exceed the size of one buffer. Therefore, you must increase the size (e.g., from8kto16kor32k), not just the number of buffers. Addinglarge_client_header_buffers 8 8k;will not fix a 10KB cookie issue.
Fixing it in Kubernetes Nginx Ingress
If you are running Nginx inside a Kubernetes cluster using the Nginx Ingress Controller, you cannot edit the nginx.conf directly. Instead, you apply the change globally via the ConfigMap, or locally via an annotation on your Ingress resource.
Locally via Ingress Annotation:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app-ingress
annotations:
nginx.ingress.kubernetes.io/server-snippet: |
large_client_header_buffers 4 32k;
spec:
# ...Globally via ConfigMap:
Modify your ingress-nginx-controller ConfigMap to include:
data:
large-client-header-buffers: "4 32k"Why Does This Error Seem Random?
This is a tricky error to catch because it is entirely user-dependent. It only affects users who have accumulated a massive payload of cookies over the allotted capacity.
- Scenario 1: A user browses your site over time, accumulating ad-tracking and analytics cookies. Eventually, they hit the 8K limit and the site completely breaks for them. Meanwhile, a fresh user (or Incognito mode) accesses the exact same pages with zero problems.
- Scenario 2: A specific application endpoint sets a massive JWT session cookie. Anyone who logs in gets a 400 error on their next request.
In both cases, clearing the browser cookies for that domain will instantly “fix” the problem for the user, but the real solution is increasing the Nginx buffer size so it doesn’t happen again.