Skip to content

Add HTTP header size guideline to production deployment checklist#11601

Open
dushaniw wants to merge 3 commits into
wso2:masterfrom
dushaniw:master-http-header-size-guideline
Open

Add HTTP header size guideline to production deployment checklist#11601
dushaniw wants to merge 3 commits into
wso2:masterfrom
dushaniw:master-http-header-size-guideline

Conversation

@dushaniw

@dushaniw dushaniw commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds a new HTTP header size row to the production deployment checklist in en/docs/install-and-setup/setup/deployment-best-practices/production-deployment-guidelines.md.
  • Documents that the default maxHttpHeaderSize on the HTTP and HTTPS Tomcat connectors is 32 KB (32768 bytes).
  • Calls out that customers must not set the value lower than 32 KB — specifically on the API Control Plane (ACP) node in a distributed deployment (or on the single node in an all-in-one deployment) — when Multi-Option Authentication is used for federated portal logins.
  • Includes the deployment.toml override snippet and a note to align upstream reverse proxy / load balancer / ingress / CDN header limits to at least 32 KB.

Related

Test plan

  • `mkdocs build` runs cleanly on the branch.
  • The new row renders correctly in `mkdocs serve` at the target page, with zebra striping preserved on subsequent rows.
  • Verify rendering in staged docs site once merged.

🤖 Generated with Claude Code

Documents that the default maxHttpHeaderSize on the HTTP and HTTPS Tomcat
connectors is 32 KB, and calls out the requirement to keep it >= 32 KB on
the ACP node when Multi-Option Authentication is used for federated portal
logins.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
@dushaniw dushaniw requested a review from tharikaGitHub as a code owner July 10, 2026 13:56
Copilot AI review requested due to automatic review settings July 10, 2026 13:56
@dushaniw dushaniw requested a review from chamilaadhi as a code owner July 10, 2026 13:56
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@dushaniw, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 20 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a7816291-c1db-45ba-9f07-ee7e4a8c933b

📥 Commits

Reviewing files that changed from the base of the PR and between 051da39 and 583ffaa.

📒 Files selected for processing (5)
  • en/docs/install-and-setup/setup/deployment-best-practices/production-deployment-guidelines.md
  • en/docs/reference/config-catalog.md
  • en/tools/config-catalog-generator/data/_http-transport.toml
  • en/tools/config-catalog-generator/data/_https-transport.toml
  • en/tools/config-catalog-generator/data/configs.json
📝 Walkthrough

Walkthrough

Adds an “HTTP header size” row to the production deployment checklist. It documents the 32 KB maxHttpHeaderSize default for HTTP and HTTPS Tomcat connectors, cautions against reducing it for federated login flows, describes resulting 400/414 errors, provides deployment.toml settings, and recommends matching upstream proxy and ingress limits.

Suggested reviewers: chamilaadhi, tharikagithub

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description covers the change and test plan, but it omits most required template sections such as Purpose, Goals, Approach, and Release note. Add the missing template sections, especially Purpose, Goals, Approach, User stories, Release note, Documentation, and Security checks.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the main change: adding an HTTP header size guideline to the production deployment checklist.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds guidance to the production deployment checklist about ensuring sufficient HTTP header/request size capacity for federated portal logins (notably Multi-Option Authentication), and updates the checklist table row striping after inserting the new entry.

Changes:

  • Adds a new “HTTP header size” checklist row with background/context and a deployment.toml override snippet.
  • Highlights a minimum maxHttpHeaderSize requirement (32 KB) to avoid broken federated login redirects.
  • Adjusts subsequent table row odd/even classes to preserve zebra striping.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@en/docs/install-and-setup/setup/deployment-best-practices/production-deployment-guidelines.md`:
- Around line 122-140: Align the maxHttpHeaderSize default consistently: update
the transport templates and config catalog from 8192 to 32768, matching the
documentation and generated configuration, or revise the documentation to apply
only to the release that changes the default. Locate the relevant
maxHttpHeaderSize entries in the transport configuration templates and config
catalog and update them together.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e8a2ac07-5d67-4664-986c-779b45379956

📥 Commits

Reviewing files that changed from the base of the PR and between acd83ed and 78c6c8b.

📒 Files selected for processing (1)
  • en/docs/install-and-setup/setup/deployment-best-practices/production-deployment-guidelines.md

dushaniw and others added 2 commits July 13, 2026 09:22
Co-authored-by: Copilot Autofix powered by AI <[email protected]>
- Bump maxHttpHeaderSize default to 32768 in transport TOML templates and
  configs.json for both HTTP and HTTPS transports.
- Regenerate config-catalog.md via the config-catalog-generator tool.
- Add a description for maxHttpHeaderSize explaining the ACP + Multi-Option
  Authentication constraint.
- Fix <APIM_HOME> -> <API-M_HOME> and APIM -> API-M for consistency with
  surrounding docs.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
</div>
<div class="param-description">
<p>Use this parameter to enable MTOM (Message Transmission Optimization Mechanism) for the product server.</p>
<p>Use this paramater to enable MTOM (Message Transmission Optimization Mechanism) for the product server.</p>

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some corrected spellings have been altered in this file. Let's revert the spelling changes and keep the config change only.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants