Why do I get a 400 Bad Request response when I have large cookies?


When making requests to your application that have responses with large cookie sizes, you get a 400 Bad Request response from the Heroku router.


The Heroku router has an 8192 byte per line restriction for headers (described here). Cookies are sent in responses on a single line, so this translates into an 8192 byte limit on your overall cookie size in responses. This 8192 byte limit is widely used – for example, 8k is the default limit for the following popular HTTP servers such as Apache, Nginx, Tomcat (search for maxHttpHeaderSize)

AWS ELBs impose this limit as well, therefore the Heroku Router reflects the popular use of that limit along with the limitations imposed by other systems our routing layer relies on. The HTTP spec does not impose a limit like this, but almost all implementations impose one for practical and security reasons (e.g., to protect against DoS attacks using large cookies). As such, this limit is unlikely to change in the future and the only way to avoid this error is to reduce the size of the cookies sent in application responses.