HTTP 431 Request Header Fields Too Large

What’s actually happening

A user can't load the site while everyone else can — and clearing cookies fixes it instantly. That's the signature. It tends to appear after auth tokens, A/B-test cookies, or analytics pile up on one domain, or when a deep-linking referer/URL gets huge. Note: nginx frequently returns 400 Bad Request for this rather than a literal 431, so don't only grep for 431.

Common causes

• Bloated cookies — stacked session cookies, JWTs stored in cookies, or many third-party/tracking cookies on the same domain pushing total header size over the limit.
• An oversized Referer or a request line with a very long query string / encoded state.
• Too many custom headers (proxies appending X-Forwarded-*, tracing headers, auth headers) stacking up through a chain.
• Server buffer set too low: nginx large_client_header_buffers defaults to 4 8k; Node's default max header size is 16 KB.
• A redirect loop or SSO flow that keeps appending parameters/cookies until it blows the buffer.

How to fix it

1. Prove it's headers, then shrink themHave the user clear cookies for the domain (or test in incognito). If it loads, the headers were the problem. Audit document.cookie — drop cookies you don't need and stop storing large JWTs in cookies; move them to Authorization headers or short session IDs.
2. Raise the nginx buffersIn the http or server block set large_client_header_buffers 4 16k; (and client_header_buffer_size 16k; for the first line). Reload nginx. Bump higher only if a legitimate flow genuinely needs it.
3. Raise the Node/app limitFor Node start with node --max-http-header-size=32768 server.js (or set maxHeaderSize in http.createServer options). Match this to whatever your fronting proxy allows so limits agree.
4. Cover the HTTP/2 pathUnder HTTP/2 the relevant knob differs: raise http2_max_header_size in nginx or H2MaxHeaderListSize in Apache, since the generic header-buffer settings don't apply to HPACK-compressed headers.
5. Cut header bloat at the sourceScope cookies to subpaths/subdomains so they aren't sent everywhere, prune duplicate X-Forwarded-* additions in your proxy chain, and break SSO redirect loops that keep appending state.