upload_max_part_header_len
The `upload_max_part_header_len` directive configures the maximum allowed length of the multipart headers for file uploads in NGINX.
Description
The upload_max_part_header_len directive is a key configuration option within the NGINX upload module, specifically designed to define the maximum allowable length of the header portion of each part of a multipart/form-data request. This directive serves an important purpose, especially when dealing with file uploads, as it helps to validate the incoming headers which contain crucial information about uploaded files such as filenames, content types, and other metadata. If the headers exceed the specified length, the request will be rejected, helping to fend off potential header-based attacks or malformed requests that could disrupt server operation.
Furthermore, this directive can be utilized in various contexts, including http, server, and location, which allows for flexible configurability based on the specific needs of the application being served. The parameter that follows the directive is an integer, representing the maximum length in bytes. The default value for this directive is none, meaning there is no upper limit on the length unless it is explicitly set, thus ensuring that applications can customize their header handling based on their own security and performance requirements. Note that careful consideration should be given to the set value, balancing between functionality and security to mitigate any risks associated with very large headers.
Config Example
server {
listen 80;
server_name example.com;
location /upload {
upload_pass /upload_handler;
upload_max_part_header_len 100k;
upload_store /tmp/uploads;
}
}Setting upload_max_part_header_len too low may cause legitimate requests to be rejected, particularly if file metadata is expected to be long.
The directive does not affect the overall request body size, only the headers related to individual parts of a multipart request.