Setting Content-Length header too high results in Server Error
Description
Requests to the API may contain a request body. Regardless whether it is required by the endpoint or not, request handling is controlled by the transmitted Content-Length
header. If no such header is included in the request, the API returns 411 Length Required
(for endpoints requiring payload) or ignores the body gracefully (for endpoints requiring no payload). However when a Content-Length
header is transmitted, there are three cases dependent on the transmitted length (L
) and the actual body size (B
).
Condition | Behavior | Expected Behavior |
---|---|---|
L < B |
Only L bytes are read, the rest is discarded. Endpoints expecting a payload operate on the truncated data, succeeding or failing accordingly. Endpoints expecting no payload ignore the body. |
as observed |
L == B |
The complete body is read. Endpoints expecting a payload operate accordingly. Endpoints expecting no payload ignore the body. | as observed |
L > B |
The first B bytes are read, then the server waits for the final bytes. Regardless whether the endpoint expects payload or not, the server finally returns 500 Internal Server Error after timing out (after approx. 1 min.). |
to discuss |
Discussion
The problem is the final case, L > B
. The server waits for the final bytes which will never arrive. In my opinion, this is no server error but a client-side error. Thus, the resulting status code should be in the 4xx region. Either a general 400 Bad Request
or the specific 408 Request Timeout
? Any thoughts?