Class HttpRequestDecoder

  • All Implemented Interfaces:
    ChannelHandler, ChannelInboundHandler

    public class HttpRequestDecoder
    extends HttpObjectDecoder
    Decodes ByteBufs into HttpRequests and HttpContents.

    Parameters that prevents excessive memory consumption

    NameMeaning
    maxInitialLineLength The maximum length of the initial line (e.g. "GET / HTTP/1.0") If the length of the initial line exceeds this value, a TooLongHttpLineException will be raised.
    maxHeaderSize The maximum length of all headers. If the sum of the length of each header exceeds this value, a TooLongHttpHeaderException will be raised.
    maxChunkSize The maximum length of the content or each chunk. If the content length exceeds this value, the transfer encoding of the decoded request will be converted to 'chunked' and the content will be split into multiple HttpContents. If the transfer encoding of the HTTP request is 'chunked' already, each chunk will be split into smaller chunks if the length of the chunk exceeds this value. If you prefer not to handle HttpContents in your handler, insert HttpObjectAggregator after this decoder in the ChannelPipeline.

    Parameters that control parsing behavior

    NameDefault valueMeaning
    allowDuplicateContentLengths false When set to false, will reject any messages that contain multiple Content-Length header fields. When set to true, will allow multiple Content-Length headers only if they are all the same decimal value. The duplicated field-values will be replaced with a single valid Content-Length field. See RFC 7230, Section 3.3.2.
    allowPartialChunks true If the length of a chunk exceeds the ByteBufs readable bytes and allowPartialChunks is set to true, the chunk will be split into multiple HttpContents. Otherwise, if the chunk size does not exceed maxChunkSize and allowPartialChunks is set to false, the ByteBuf is not decoded into an HttpContent until the readable bytes are greater or equal to the chunk size.

    Header Validation

    It is recommended to always enable header validation.

    Without header validation, your system can become vulnerable to CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') .

    This recommendation stands even when both peers in the HTTP exchange are trusted, as it helps with defence-in-depth.