Home About Blog

Large Magento headers causing 502 errors from ThreatX

We have seen instances of ThreatX sending 502 error even though upstream responses were 200 OK.
Upon investigation it was shown that the cause was due to excessively large amount of headers from origin which exceeded ThreatX’s maximum allowed size of 4096 bytes.

When we looked at the client’s origin response we saw very large number of

Set-Cookie: NEWMESSAGE=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=example.com; HttpOnly
Set-Cookie: NEWMESSAGE=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=example.com; HttpOnly
Set-Cookie: NEWMESSAGE=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=example.com; HttpOnly
Set-Cookie: NEWMESSAGE=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=example.com; HttpOnly
Set-Cookie: NEWMESSAGE=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=example.com; HttpOnly
Set-Cookie: NEWMESSAGE=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=example.com; HttpOnly

This customer’s application was setup with Varnish upstream of ThreatX. So the stack looked like:
Edge -> ThreatX -> Varnish -> Origin proxy -> Origin Magento.
Knowing this, we used Varnish to remove these redundant headers using the Header vmod:

import header;
if (resp.http.Set-Cookie) {
    # CMS can generate a large amounts of redundant Set-Cookie headers which exceeds header size limit for Threat-X, this removes it
    header.remove(resp.http.Set-Cookie, "NEWMESSAGE=deleted");
}