Fix for 400/502 error "bad request" due to large headers and too many cookies


Just in case others are hitting the same problem. You might be noticing that some users are randomly having issues logging in, form submissions etc. We noticed this and traced it back to 400 errors related to larger request headers.
It seems that the switch to GA4 and the increasing use of Hotjar are the cause of the problem. Both of these services set cookies by default at the domain and both set a unique cookie per property. The result is that if a users visits a lot of different government sites they can end up with over 8k of cookies (+headers) being sent to all websites. Most web application servers and reverse proxys tend to have an 8k limit by default.

We’ve increased the limits on our NSW DDS hosting service and also implemented measures to try to cut out some of the unwanted cookies.

However it would be good practice if other services do what we have also done and ensure that GA etc use a more specific domain. e.g. gtag('config', 'PROP_ID', {'cookie_domain': ''})

1 Like