Content security policy maximum size exceeded

The maximum size available for http headers on your website depends on the webserver that runs your website. For most webservers like Apache and Lightspeed the limit is 8192 bytes but the default configuration of Nginx sets this limit to 4096 bytes. When your website is running Nginx with the default configuration, available space for HTTP headers is limited. In most cases this will be fine but if you have a large Content Security Policy it might result in the total size for all http headers on your site being larger than the server supports. When this happens you will encounter a 502 “bad gateway” or 500 “Internal Server Error” and your site will be unreachable. Because this is a limitation of the webserver there is nothing Really Simple SSL can do to create more room for your http headers.

To prevent your site from becoming unreachable Really Simple SSL will check the total size of your http headers and the limit your server can handle before saving any changes to your headers. To make sure additional page specific headers do not exceed the limit we reserve an extra 500 bytes when determining the maximum size for your http headers. When we find the size of your headers might exceed the supported size for your server we will disable the Content Security Policy as this is the likely cause of the the problem. When your get notified about your site exceeding the maximum http header size you should examine your Content Security Policy and limit the number of entries by revoking unneeded sources in the Content Security Policy settings.

The Source Directive interface, as part of the Really Simple SSL Content Security Policy generator

Important NOTE:

When trying to access a page that redirects to wp-login.php when your are not logged in, wordpress adds more than 2100 bytes of set_cookie headers headers. In this case you have a good chance of exceeding the maximum http header limit when running on Nginx in the default configuration and can only login to your site by accessing /wp-login.php directly.

Simple and Performant Security.
Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate generation.