[SOLVED] Surrogate-Key Can Create Header Overflow

I have…

  • [ ] Checked the logs and have uploaded a log file and provided a link because I found something suspicious there. Please do not post the log file in the topic because very often something important is missing.

I’m submitting a…

  • [ ] Regression (a behavior that stopped working in a new release)
  • [x] Bug report
  • [ ] Performance issue
  • [ ] Documentation issue or request

Current behavior

This is a bug related to Node.js making a graphql request for content and setting a take value (>60). The response header includes the surrogate key field which includes the ids of the requested graphql content. The value of this header can easily bloat the response headers to greater than 8kb, the maximum default header size supported in Node.js, resulting in a system header overflow error.

Expected behavior

I do not know if this is a feature or a bug depending on the scope and purpose of this header in relation to graphql. This can be avoided in Node by using pagination properly and not requesting so many records.

I wanted to make a record for posterity so other Node developers know about the header overflow issue for requesting too much information.

Minimal reproduction of the problem

Make a request to content that returns a response header with ~60 surrogate keys (content ids) and check the size of the response header. It should be greater than 8kb.

I was able to submit a graphql query in postman and inspect the response headers and size as more data was fetched in parody with node until node crashed.


  • [ ] Self hosted with docker
  • [ ] Self hosted with IIS
  • [ ] Self hosted with other version
  • [x] Cloud version

Version: [Latest Cloud Version]


  • [ ] Chrome (desktop)
  • [ ] Chrome (Android)
  • [ ] Chrome (iOS)
  • [ ] Firefox
  • [ ] Safari (desktop)
  • [ ] Safari (iOS)
  • [ ] IE
  • [ ] Edge


Hi, welcome at Squidex and thank you very much for the bug report.

I will reduce the key size to 8k and also introduce a X-SurrogateSize header which you can override.

I have solved it, but I am not sure if it is also deployed. Will check later today