How to limit request sizes in Nginx

Limiting request sizes in Nginx blocks oversized uploads and oversized headers before they reach application code, reducing avoidable load, disk churn, and upstream failures caused by unexpectedly large requests.

Nginx enforces request body limits with the client_max_body_size directive and rejects bodies that exceed the configured maximum with HTTP 413. Request headers are read into fixed-size buffers; when the request line or any header line cannot fit within the configured buffers, Nginx rejects the request early (commonly HTTP 400 with a “Request Header Or Cookie Too Large” response body).

Limits inherit by context, so placing directives in the http block sets a default for all virtual hosts, while server or location blocks override defaults for specific sites or endpoints. Tight limits can break legitimate uploads or authentication flows (large cookies or Authorization headers), and limits in Nginx should align with upstream limits (application framework, PHP-FPM, load balancer, CDN) to avoid inconsistent errors.

Steps to limit request sizes in Nginx:

Choose the maximum request body size allowed by the application.

Sizes accept k, m, and g suffixes (for example, 10m), and narrower scopes override broader scopes (http → server → location).
Choose the maximum request header size allowed by the application.

Header limits that are too low can break SSO flows and apps that rely on large Cookie or Authorization headers.

Locate the virtual host file that contains the matching server_name directive.

$ sudo grep --recursive --line-number --fixed-string "server_name example.com" /etc/nginx/sites-enabled /etc/nginx/conf.d 2>/dev/null
/etc/nginx/sites-enabled/example.com.conf:12:    server_name example.com www.example.com;

Replace example.com with the target hostname, or search by listener using listen 443 or listen 80.

Resolve the real path of the matched configuration file when it is a symlink.
```
$ readlink -f /etc/nginx/sites-enabled/example.com.conf
/etc/nginx/sites-available/example.com.conf
```
Debian and Ubuntu commonly use /etc/nginx/sites-enabled symlinks that point into /etc/nginx/sites-available.

Open the resolved virtual host file for editing.

$ sudoedit /etc/nginx/sites-available/example.com.conf

Set client_max_body_size in the affected server or location block.
```
# /etc/nginx/sites-available/example.com.conf

server {
    server_name example.com www.example.com;

    client_max_body_size 10m;

    ##### snipped #####
}
```
Place client_max_body_size inside a specific location block to restrict or allow larger uploads only on an upload endpoint (for example, /upload/).
Open the main Nginx configuration file for header buffer limits.
```
$ sudoedit /etc/nginx/nginx.conf
```
Set request header buffer directives in the http block.
```
# /etc/nginx/nginx.conf

http {
    client_header_buffer_size 1k;
    large_client_header_buffers 2 8k;

    ##### snipped #####
}
```
large_client_header_buffers primarily affects HTTP/1.1 header parsing; HTTP/2 header limits are controlled separately when the http2 module is enabled.

Test the Nginx configuration for syntax errors.

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Reload the Nginx service to apply the new limits.
```
$ sudo systemctl reload nginx
```
Use sudo systemctl restart nginx if the service does not support reload in the local environment.
Create a request body larger than the configured client_max_body_size.
```
$ truncate -s 11M /tmp/nginx-body-test.bin
```

Send the oversized body and confirm HTTP 413 is returned by Nginx.

$ curl -sS -o /dev/null -D- -H "Host: example.com" --data-binary @/tmp/nginx-body-test.bin http://127.0.0.1/
HTTP/1.1 413 Request Entity Too Large
Server: nginx
Content-Type: text/html
Content-Length: 183
Connection: close

Replace example.com with the target hostname, or replace the URL with the real scheme, host, and port for the affected virtual host.

Create a header file containing an oversized Cookie header.

$ awk 'BEGIN{printf "Cookie: bigcookie="; for(i=0;i<20000;i++) printf "a"; printf "\n"}' > /tmp/nginx-headers.txt

Send the oversized header and confirm an early client error is returned.

$ curl -sS -o /dev/null -D- -H "Host: example.com" -H @/tmp/nginx-headers.txt http://127.0.0.1/
HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: text/html
Content-Length: 150
Connection: close

Verify the rejections in the Nginx error log.

$ sudo tail -n 20 /var/log/nginx/error.log
2025/12/14 12:30:01 [error] 12345#12345: *1 client intended to send too large body: 11534336 bytes, client: 127.0.0.1, server: example.com, request: "POST / HTTP/1.1", host: "example.com"
2025/12/14 12:31:02 [error] 12345#12345: *2 client sent too long header line: "Cookie: bigcookie=##### snipped #####", client: 127.0.0.1, server: example.com, request: "GET / HTTP/1.1", host: "example.com"

Check the configured error_log path if /var/log/nginx/error.log is not present.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.