HTTP 431 Request Header Fields Too Large — What It Means & How to Fix
HTTP 431 Request Header Fields Too Large is an HTTP response status code that indicates the server refuses to process the request because the total size of the HTTP headers exceeds the server’s configured limit. This is commonly caused by oversized cookies, large authentication tokens, or bloated custom headers.
What It Means
Defined in RFC 6585 Section 5, the 431 status code tells the client: “Your headers are too large. Reduce their size and try again.” The server may indicate which header field is too large, or it may send the response without specifying details.
Unlike 413 (body too large) and 414 (URI too long), 431 targets the cumulative size of all header fields including cookies, authorization headers, and custom headers.
When It’s Sent
- Oversized cookies — A website sets many cookies, or cookies store large JSON objects exceeding the 4 KB per-cookie limit.
- Large JWT tokens — Authentication tokens that contain extensive claims or permissions data.
- Custom headers with large values — API clients passing large metadata in custom headers like
X-Amz-Meta-*. - Proxy forwarding headers — Reverse proxies that add headers accumulate size across hops.
- CORS preflight requests — Large
Access-Control-Request-Headersvalues in OPTIONS requests.
Real Example
The following curl command sends oversized headers to trigger a 431:
curl -v https://httpbin.org/status/431 \
-H "X-Large-Header: $(python3 -c 'print("A" * 50000)')" \
2>&1 | grep -E "< HTTP|header"Expected response:
HTTP/1.1 431 Request Header Fields Too Large
Date: Sat, 20 Jun 2026 12:00:00 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 177
<html>
<head><title>431 Request Header Fields Too Large</title></head>
<body><h1>Request Header Fields Too Large</h1><p>The server cannot process the request because the header fields are too large.</p></body>
</html>How to Debug & Fix
Client-Side
- Reduce cookie size — Store less data in cookies. Use session IDs and keep data server-side.
- Use short-lived access tokens — JWTs with minimal claims reduce header size. Avoid storing large objects in tokens.
- Minimize custom headers — Consolidate multiple custom headers into one, or move data to the request body.
- Clear browser cookies — For web users, clearing cookies and cache often resolves 431 errors.
- Check proxy chain — Each proxy adds headers. Minimize proxy hops or increase limits at each level.
Server-Side
- Increase header buffer size — In nginx, increase
large_client_header_buffers. In Apache, increaseLimitRequestFieldSize. - Set cookie limits — Limit the number and size of cookies your application sets.
- Trim proxy-added headers — Configure reverse proxies to avoid adding redundant headers.
- Log header sizes — Track which clients and endpoints generate oversized headers.
- Return specific error details — Tell the client which header field exceeded the limit.
Common Causes Table
| Scenario | Likely Cause | How to Fix |
|---|---|---|
| Login returns 431 | Session cookie contains large serialized object | Store object server-side, use session ID in cookie |
| API returns 431 after auth | JWT token payload contains too many claims | Reduce claims or use reference tokens |
| Website broken after SSO | SSO token stored as cookie exceeds 4 KB | Use server-side session storage |
| Reverse proxy returns 431 | Proxy adds headers that accumulate total header size | Configure proxy to forward headers selectively |
| Mobile app fails | App sends all user preferences in custom headers | Move preferences to request body or database |
FAQ
Related Codes
HTTP 413 Payload Too Large — The request body exceeds the server’s size limit.
HTTP 414 URI Too Long — The requested URI exceeds the server’s maximum length.
HTTP 400 Bad Request — General client error for malformed requests.
HTTP 429 Too Many Requests — The client has sent too many requests in a given time.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro