sfw/fix
upstream sent too big header high

nginx 502: upstream sent too big header while reading response header

PHP-FPM returned response headers larger than nginx's FastCGI buffer, overflowing it and turning the response into a 502.

What you see

2026/06/15 09:14:22 [error] 1180#1180: *4821 upstream sent too big
header while reading response header from upstream, client: 203.0.113.5,
server: example.com, request: "GET /dashboard HTTP/1.1", upstream:
"fastcgi://unix:/run/php/php-fpm.sock"

What’s actually happening

The browser gets a 502 Bad Gateway, but PHP-FPM is up and most pages work. It is the specific responses with oversized headers that break, often after a login or on a page that sets many cookies. nginx reads the upstream headers into a fixed buffer; when they do not fit, it gives up and returns 502. The error.log line names the exact request and upstream socket.

Common causes

  • A large Set-Cookie header, frequently a fat session or a framework that serializes too much into the cookie.
  • Several cookies set at once (session, CSRF, analytics, A/B flags) whose combined size exceeds fastcgi_buffer_size.
  • Big auth headers, like a long JWT or SAML/OIDC token echoed back in the response.
  • A debug or profiling header (verbose stack traces, an APM tool) appended in non-production.
  • fastcgi_buffer_size left at its small default (4k/8k) while the app's real headers grew past it.

How to fix it

  1. Confirm it is a header-size 502 from the logMatch the error.log line: 'upstream sent too big header while reading response header from upstream'. That string distinguishes this from a timeout or a crashed worker, which produce different 502 causes and different fixes.
  2. Increase the FastCGI header buffersIn the server or location block set, for example, fastcgi_buffer_size 32k; and fastcgi_buffers 8 16k;. fastcgi_buffer_size covers the first chunk that holds the response headers, so it is the one that matters most here.
  3. Bump busy buffers if nginx complainsIf a config test errors after the change, raise fastcgi_busy_buffers_size to match (for example 32k). For a reverse proxy upstream instead of FastCGI, the equivalents are proxy_buffer_size and proxy_buffers.
  4. Test and reloadRun nginx -t, then reload nginx. Reproduce the request that 502'd (the login or the cookie-heavy page) and confirm it now returns 200.
  5. Shrink the headers at the sourceBuffers treat the symptom. Also trim what PHP emits: store session data server-side instead of in the cookie, drop unused cookies, and strip debug headers in production so the response fits comfortably.

Stop it recurring

Size fastcgi_buffer_size to comfortably exceed the app's largest real response headers (cookies plus auth tokens), and keep debug headers out of production.

Related errors

413 Request Entity Too Large (nginx client_max_body_size)

medium

The request body exceeded nginx's client_max_body_size, so nginx rejected it before passing the request to the backend.

PHP-FPM "Primary script unknown" (File not found)

high

nginx handed PHP-FPM a SCRIPT_FILENAME path that PHP-FPM cannot find or read, so it returns a blank File not found.

PHP Fatal Error: Allowed Memory Size Exhausted

high

A PHP script asked for more RAM than memory_limit permits, so the engine kills the request mid-execution.

PHP Fatal Error: Maximum Execution Time of 30 Seconds Exceeded

high

A PHP script ran past the max_execution_time cap, so the engine aborted it before it could finish.