AWS API Gateway – HTTP header is larger than 10240 bytes.

The issue

I am running a serverless .net core website hosted as a serverless lambda function exposed via API Gateway.

Over the past year I have randomly hit this issue where, during a session a user will get the error;

HTTP header is larger than 10240 bytes.

The problem

We are hitting an AWS API Gateway limit. API Gateway has an unadjustable limit.

10240 bytes on the total combined size of all header values.

The problem is that the .net core website, stores a number of cookies like;

  • .AspNetCore.CookiesC1
  • .AspNetCore.CookiesC2
  • .AspNetCore.Antiforgery.AsW4q1BB7-Y

I was also adding my own custom cookies to support storage of some minor session state, which in a serverless solution you cannot store in any kind of local cache or in memory (would need to use a distributed cache).

All in all depending on what core was doing the size of the headers was going above the 10240 limit.

A solution of sorts

The only way around this is to try and reduce the size of the payload in the header. These are some of the solutions I used;

  1. Jwt token claims – I remove all unused claims off the token so that we only store those that we actually need.
  2. Cookies
    1. reduced the length of the key names.
    2. limit the size of the data being stored
  3. Enable compression


This gets me to around 9,000 bytes, with a little bit of head room.

The actual solution

The real solution, it turns out is to bypass the API Gateway.

Open the Lambda Entry point and you will see that there is generally a block of commented code for the various classes that the startup class can inherit from.

You will need to do the following;

  1. Setup a load balancer
  2. Setup a trigger on the lambda to be triggered from the Load Balancer
  3. Update the LambdaEntryPoint class and choose to inherit from
    1. Amazon.Lambda.AspNetCoreServer.ApplicationLoadBalancerFunction
  4. Build and deploy your lambda
  5. Reconnect your domain name to point to the ALB not the API Gateway CloudFrontstack

This will bypass the API Gateway and your problem is solved.

1 thought on “AWS API Gateway – HTTP header is larger than 10240 bytes.

  1. I have decreased the cookies size to safe limits by using IOpenIdOptions.SaveTokens = false; it took the cookies from 9-10000 to about 3000.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.