Nginx Upstream Sent Too Big Header While Reading Response Header From Upstream

Introduction

Nginx reads response headers from upstream before it can send the response to the client. If the upstream sends large Set-Cookie headers, an oversized redirect chain, or a bulky authentication token, Nginx can fail early with upstream sent too big header while reading response header from upstream. The right fix is to identify header bloat first, then adjust the correct buffer directive for the upstream type you actually use.

Symptoms

• Requests fail with HTTP 502 or 500 on pages that set session cookies
• The Nginx error log mentions upstream sent too big header
• Login, checkout, or admin pages fail while static pages still work
• The issue appeared after adding SSO, feature flags, or large cookie-based state

Common Causes

• The upstream sends one or more oversized Set-Cookie headers
• JWTs or session payloads are stored directly in cookies
• FastCGI or proxy buffers are smaller than the upstream header set
• The app keeps adding duplicate cookies on each redirect or login step

Step-by-Step Fix

1. 1.Capture the response headers that trigger the failure
2. 2.Measure the actual header size before changing buffer settings blindly.

curl -skD headers.txt -o /dev/null https://app.example.com/account
grep -i "set-cookie" headers.txt

1. 1.Confirm whether the failing path uses FastCGI or proxy_pass
2. 2.You need to tune the matching Nginx directives for the upstream type on that location.

location ~ \.php$ {
  include fastcgi_params;
  fastcgi_pass unix:/run/php/php8.2-fpm.sock;
}

1. 1.Increase the FastCGI header buffers only as much as the workload needs
2. 2.This gives Nginx enough room to read legitimate headers without hiding runaway cookie growth.

location ~ \.php$ {
  include fastcgi_params;
  fastcgi_pass unix:/run/php/php8.2-fpm.sock;
  fastcgi_buffer_size 32k;
  fastcgi_buffers 16 16k;
  fastcgi_busy_buffers_size 64k;
}

1. 1.Reduce header bloat at the application layer
2. 2.If headers keep expanding, bigger buffers only postpone the next outage.

grep -i "set-cookie" headers.txt | sort | uniq -c
nginx -t && systemctl reload nginx

Prevention

• Keep session data server-side instead of packing large payloads into cookies
• Review new authentication and tracking features for cookie growth
• Tune fastcgi_* and proxy_* buffers based on measured header sizes, not guesswork
• Watch Nginx error logs for header-size warnings during login and checkout releases