HTTP 431 Request Header Fields Too Large
HTTP 431 Request Header Fields Too Large means the server is refusing the request because the combined size of the request headers exceeds its limit. The server does not process the request body and returns 431 to signal the client must reduce header size before retrying.
431 was standardized in RFC 6585 alongside 429. It exists to distinguish header-size rejections from generic 400 Bad Request errors, making the problem easier to diagnose.
Quick reference
| Code | 431 |
|---|---|
| Name | Request Header Fields Too Large |
| Category | 4xx Client Errors |
| Specification | RFC 6585 §5 |
| IANA status | Assigned |
| Client behavior | Reduce header sizes and retry. The server response body should indicate whether the total header block is too large or a specific individual header. |
| Caching | Not cached. |
| In-depth guide | HTTP 431 header size guide → |
What it means
HTTP servers impose size limits on request headers for performance and security reasons. Parsing headers requires memory allocation proportional to header size. Very large headers can be a vector for memory exhaustion attacks (by sending many large requests with enormous headers), can slow down header parsing, and can indicate misconfigured or abusive clients.
RFC 6585 specifies two distinct scenarios for 431: the total combined header block is too large, or a single individual header field is too large. The server response body should indicate which applies. In practice, most implementations return a generic 431 without distinguishing between the two.
Why Cookie headers are the most common cause
Cookie headers accumulate over time. Each Set-Cookie response from the server adds a cookie that the browser sends back on every subsequent request. On high-traffic web applications, users can accumulate dozens of cookies, some of which persist long after they are relevant. The resulting Cookie header can easily exceed server limits. This is exacerbated by third-party scripts that set their own cookies and A/B testing tools that set multiple variant cookies.
Common causes
Oversized Cookie header from cookie accumulation
The most common cause on web applications. Browsers send all cookies for the domain on every request. After months of use, a user's browser may be sending hundreds of cookies totaling kilobytes. The fix requires both clearing stale cookies on the client side and implementing cookie hygiene on the server side (expiration dates, Max-Age limits, regular cookie audits).
Large JWT or OAuth access tokens in Authorization header
JSON Web Tokens used as bearer tokens in APIs can grow large — especially JWTs that embed significant claims payloads. A JWT Authorization header of several kilobytes combined with other headers can exceed limits. Consider reducing JWT claims payload or using opaque tokens with server-side session lookup instead.
API clients sending redundant custom headers
API clients that add many custom X- headers — trace IDs, correlation IDs, feature flags, client metadata — can collectively push header size over limits. Audit the headers being sent and remove any that are not required by the server.
Excessively long Referer or User-Agent values
Some automated clients and testing tools send very long User-Agent strings or Referer headers. While unusual, a single oversized header can trigger 431 if the per-header limit is lower than the total header limit.
How to diagnose and fix a 431 error
- Find the oversized header. In browser DevTools, go to Network → select the failing request → Headers tab. Look for unusually large Cookie, Authorization, or custom headers. In curl:
curl -v URL 2>&1 | grep "^>"shows all sent headers with their values. - For Cookie issues (users): Clear cookies for the affected domain in your browser. Go to DevTools → Application → Cookies, select the domain, and delete all or selectively delete stale/old cookies.
- For Cookie issues (operators): Implement cookie cleanup: set explicit
Max-AgeorExpireson all cookies, audit and remove cookies set by third-party scripts, consider consolidating multiple cookies into a single session cookie with a server-side store. - For API token issues: Reduce JWT claims payload or switch to opaque tokens. Ensure tokens are not being sent redundantly in multiple headers.
- Increase server header size limits (if you control the server):
Nginx:large_client_header_buffers 4 16k;in http or server block
Apache:LimitRequestFieldSize 16384in httpd.conf
Node.js:node --max-http-header-size=16384 app.js
431 vs 400 vs 413
| Code | What is too large | Fix |
|---|---|---|
| 431 | Request headers | Reduce header size (cookies, tokens, custom headers) |
| 413 | Request body | Reduce body payload size or increase server body limit |
| 400 | Malformed request | Fix request syntax or parameters |
See also: 413 vs 431 comparison
FAQ
What does HTTP 431 mean?
HTTP 431 means the server refuses to process the request because the request headers are too large — either the total header block or a single individual header exceeds the server's size limit.
What causes HTTP 431 errors?
Most commonly: an oversized Cookie header from cookie accumulation, a large JWT in the Authorization header, or many custom headers in API clients. Cookie accumulation is the most frequent cause for end users.
How do I fix a 431 error?
Identify the oversized header via browser DevTools or curl -v. For cookies: clear cookies for the domain. For JWTs: reduce the token's claims payload. For servers you control: increase the header size limit in server configuration.
What are typical server header size limits?
Nginx: 8 KB total (default). Apache: 8 KB per header. Node.js: 8 KB (--max-http-header-size). Cloudflare: 32 KB total. All are configurable.
Related resources
On this site: HTTP 431 header size guide · HTTP 413 Content Too Large · HTTP 400 Bad Request · HTTP 411 Length Required · All 4xx client errors
Comparisons: 413 vs 431 · 400 vs 431
Standards: RFC 6585 §5 · IANA Registry · MDN Web Docs: 431