parlov docs
Oracle ClassesExistence OracleStatus Code DiffGETForcing 414 URI Too Long

Forcing 414 URI Too Long

Per RFC 9110 §15.5.15, a server returns 414 when the target URI exceeds the server's configured maximum length.

Implemented

Mechanism: Per RFC 9110 §15.5.15, a server returns 414 when the target URI exceeds the server's configured maximum length. The oracle exists when the application enforces per-endpoint or per-resource URI length limits after routing the request and resolving the resource.

Isolated Variable: Only the URI length changes. A massive query string is appended (e.g., ?padding=AAAA...) to inflate the URI past the application's limit while keeping the path semantically valid.

Oracle Signal: 414 (exists, application-level length limit triggered) vs 404 (does not exist).

GET — Existing Resource (Oversized Query String)

GET /api/users/1001?padding=AAAAAAA...AAAA HTTP/1.1
Host: target.com
Authorization: Bearer valid-token

HTTP/1.1 414 URI Too Long
Content-Type: application/json

{"error": "URI Too Long", "detail": "Request URI exceeds maximum length of 8192 bytes"}

(Query string padded to ~16 KB — above the application's per-endpoint limit but below the gateway's global limit)

GET — Non-Existing Resource (Oversized Query String)

GET /api/users/9999?padding=AAAAAAA...AAAA HTTP/1.1
Host: target.com
Authorization: Bearer valid-token

HTTP/1.1 404 Not Found
Content-Type: application/json

{"error": "Not Found"}

💡 Distinguishing gateway vs application limits: Compare three requests with identical oversized URIs: one to a known-existing resource, one to a known-non-existing resource, and one to a completely invalid endpoint path. If all three return 414, the limit is enforced at the gateway (no oracle). If only the existing resource returns 414 while the others return 404, the limit is application-level and the oracle is confirmed.

💡 Path-length vs query-string-length limits: Some servers enforce separate limits on the path component and query string. Test both independently — the path-based variant may reach a different code path in the routing layer.

💡 414 vs connection close: Some servers silently close the connection when the URI is too long instead of returning 414. Monitor the TCP connection state, not just the HTTP response.

Mitigation: Enforce URI length limits at the reverse proxy or gateway layer before the request reaches the application, using a single global limit regardless of the target resource.

Forcing 406 Not Acceptable

The Accept header declares which media types the client will tolerate, creating a 406 vs 404 existence oracle.

HEAD

Status code differentials observed via HEAD requests.