sfw/fix
ERR_RESPONSE_HEADERS_TOO_BIG high

ERR_RESPONSE_HEADERS_TOO_BIG (Chrome Error 325)

Chrome aborted the page because the server's response headers blew past its roughly 256KB cap.

What you see

This page isn't working
[domain] didn't send any data.
ERR_RESPONSE_HEADERS_TOO_BIG

What’s actually happening

The page fails in Chrome and Edge with ERR_RESPONSE_HEADERS_TOO_BIG, but the same URL often works in Firefox, which is more lenient about header size. curl -I shows a wall of headers — frequently a huge Set-Cookie or the same security header listed several times. This is about what the server sends back, not what the browser sends, which is what separates it from a 431 or the Nginx 400 above.

Common causes

  • An enormous Set-Cookie — a session or auth cookie packed with serialized data, or many cookies set in one response.
  • An oversized JWT or SSO token written into a header or cookie on login.
  • Duplicated security headers, where both the app and the reverse proxy (Nginx/Cloudflare) add Content-Security-Policy, Permissions-Policy, etc., so each appears twice.
  • A sprawling Content-Security-Policy or Permissions-Policy with hundreds of sources or directives.
  • A misbehaving middleware that appends to a header on every pass instead of replacing it.

How to fix it

  1. Dump the raw response headers and measure themRun 'curl -sD - -o /dev/null https://yoursite/path' or open DevTools > Network > the document request > Headers. Add up the response header bytes. The offender is almost always obvious — one giant Set-Cookie or a duplicated CSP.
  2. Stop double-setting security headersDecide whether the app or the proxy owns headers like CSP, HSTS, and Permissions-Policy — not both. In Nginx use 'proxy_hide_header Content-Security-Policy;' before re-adding it, or strip them from the app. Two copies of a long CSP alone can blow the budget.
  3. Shrink the cookie/JWTMove data out of the token and into a server-side session referenced by a short opaque ID. If you're serializing a user object or permission list into a cookie, that's the problem. Keep individual cookies to a few KB.
  4. Trim the CSPCollapse duplicate sources, use a nonce or hash strategy instead of enumerating dozens of inline-script hosts, and drop directives you aren't enforcing. A tidy CSP is a few hundred bytes, not tens of KB.

Stop it recurring

Treat total response-header size as a budget (aim well under 256KB) and make exactly one layer responsible for each security header.

Related errors

400 Bad Request: Request Header Or Cookie Too Large

medium

Nginx rejected the request because the cookies and headers the browser sent are bigger than its header buffers.

ERR_INCOMPLETE_CHUNKED_ENCODING

high

The chunked response stopped before its terminating zero-length chunk, so Chrome treated the page as cut off.

404 Not Found

high

A 404 means the page the visitor requested doesn’t exist at that URL. Here’s why it happens and how to fix it for good.

500 Internal Server Error

critical

A 500 is the server’s way of saying "something broke on my end." Generic by design — here’s how to find the real cause.