Should the length of a URL string be limited to increase security?

Question

I am using ColdFusion 8 and jQuery 1.7.2.

I am using CFAJAXPROXY to pass data to a CFC. Doing so creates a JSON array (argument collection) and passes it through the URL. The string can be very long, since quite a bit of data is being passed.

The site that I am working has existing code that limits the length of any URL query string to 250 characters. This is done in the application.cfm file by testing the length of the query string. If any query string is great than 250 characters, the request is aborted. The purpose of this was to ensure that hackers or other malicious code wouldn't be passed through the URL string.

Now that we are using the query string to pass JSON arrays in the URL, we discovered that the Ajax request was being aborted quite frequently.

We have many other security practices in place, such as stripping any "<>" tags from code and using CFQUERYPARAM.

My question is whether limiting the length of a URL string for the sake of security a good idea or is simply ineffective?

Answer 1

There is absolutely no correlation between URI length and security rather more a question of:

1. Limiting the amount of information that you provide to a user agent to a 'Need to know basis'. This covers things such as the type of application server you run and associated conventions, the web server you run and associated conventions and the operating system on the host machine. These are essentially things that can be considered vulnerabilities.
2. Reducing the impact of exploiting those vulnerabilities i.e introducing patches, ensuring correct configuration etc.

As alluded to above, at the web tier, this doesn't only cover GET's (your concern), but also POST's, PUT's, DELETE's on just about any other operation on a HTTP resource.