Some Cloud REST API calls with long URLs fail

I want to share with you our findings regarding a server misconfiguration of Confluence Cloud that is causing some REST API calls to fail. Hopefully this will be helpful for anyone who is facing the same problem.

On some instances, our app crashed. The reason was a failing REST request, namely to the following URL:

As you can see, the URL is quite long (due to a lot of expansions), but with 2068 characters it is still well below the at least 8K limit that is typically in place for both browsers and servers.

We have identified that removing some of the expansions, regardless which ones, solves the problem. However, there is no fixed limit on the length of the URL. For example, some URLs work on the first try, but when refreshing the page in the browser, they suddenly stop working. This seems to be due to the additional Cache-Control header that the browser is adding on refresh, so the limit seems to on the total size of some parts of the HTTP request, rather than only on the length of the URL. However, not all request headers seem to play a role, for example the amount of cookies does not seem to make a difference.

The fact that this happens only on some instances and that the maximum length is not fixed makes it very hard to build a reliable workaround. It seemed that the problem occurred on the majority of instances running the Free Plan, but also on some instances running the Standard Plan. We managed to fix the issue at first by removing some of the expansions to make the URL shorter (1897 characters), but later it appeared again on some (although fewer) instances. So we introduced a new workaround where we split the request in two parallel ones, each with half of the expansions.

The response that comes from the Confluence server in case of such an error also makes it hard to deal with. The usual behaviour if some URL size limit was actually reached would be to either truncate the URL or to respond with a 414 error. The Confluence server instead used to crash the HTTP/2 connection, although now it seems that it is responding with a 502 error that shows “Something went wrong”.

We have reported the issue to Atlassian in the beginning of February 2020. Atlassian could reproduce the issue, but did not seem interested in fixing it and recommended us to make our URLs shorter. Based on our experience I would say it is a good idea to limit the URL size to around 1600 characters.