Proposal

Right now net/http has Server.MaxHeaderBytes to limit request header size. Proposing an additional Server.MaxHeaderCount to limit total number of headers.

Rationale

Granted that Server already has quite a number of tunable fields, none address the issue of DOS attacks that send a boatload of headers. Even when limiting total header size to 64k, an attacker can still send ~13k headers in a single request. This puts visible pressure on the GC as the number of malicious requests scale up.

Implementing this is trivial with existing code.

Any hint of a workaround would be appreciated too.