Hi Auth0 community.
Like many other posts on the internet relating to Auth0, we’re also experiencing problems with too large headers being sent back and fourth to proxy api’s. Now our stack looks like this:
- NextJS monolith - Default 16kb header size limit → Now set to a maximum of 31.5kb
- Secondary api - Default 16kb header size limit → Now set to a maximum of 31.5kb
- Tertiary api - Default 16kb header size limit → Now set to a maximum of 31.5kb
This increase seems to go above the scope of what the NodeJS team intends, as this puts us at risk of a potential DDOS attack, from what I understand.
We have a client that has a bunch of groups for other IT systems that require to be able to read roles. We also require to see all the groups they are a part of to know how to map that group to our custom roles.
The problem is that one of these clients has around 27kb worth of cookies, split into 7 different session cookies (session_0…session_6), so we’ve attempted to increase the header size, but this does not seem to help in the long run.
How could this be mitigated? Can we avoid getting the AD groups and just request them on demand?
I hope I provided enough information - otherwise please get back to me if you are missing anything 