Why am I receiving 413 errors from AWS App Runner when no rules are configured in the associated Web ACL?



I am currently dealing with a peculiar situation involving AWS App Runner and AWS Web ACL (WAF). Specifically, I am receiving 413 errors (Payload Too Large) from my App Runner instance when it's associated with a Web ACL, even if no rules are established within the WAF. This occurs with any files that are larger than 1MB.

The WAF logs indicate that the incoming requests are permitted. However, these requests never make it to my App Runner application (confirmed via application request logs and app runner metrics).

These are the response headers with the WAF associated:

HTTP/1.1 413 Payload Too Large
content-length: 17
content-type: text/plain
date: Sat, 01 Jul 2023 23:08:19 GMT
server: envoy
connection: close

Whereas as soon as I disassociate the WAF from the App Runner instance, requests reach my application again and receive the expected 200 OK response, with the following headers:

HTTP/1.1 200 OK
access-control-allow-origin: [redacted]
content-length: 15298
content-type: application/json; charset=utf-8
date: Sat, 01 Jul 2023 23:09:19 GMT
x-powered-by: Express
x-envoy-upstream-service-time: 25723
server: envoy
connection: close

From some testing, it also seems weirdly like when files larger than 250KB but smaller than 1MB are uploaded something similar but different is happening - they're allowed by the WAF but don't reach my application. But a 500 is returned rather than a 413.

I assume this is a bug, but otherwise would love any insight into why this is happening, or how I could address this issue? I would greatly appreciate your help.

asked a year ago574 views
2 Answers
Accepted Answer

Hi, I would agree with you on the fact that it's probably a bug, on which you may need to open a ticket to get it fixed.

In the meantime, to go around it, you may want (if your security constraints allow) to create WAF rules specific to large content having the option "Continue" associated with other conditions when its ok to go forward . WAF will then only inspect the first 8'192 bytes and accept the request if those initial bytes don't show any issue and the other conditions are satisfied.

For rules on oversize content, see https://docs.aws.amazon.com/waf/latest/developerguide/waf-oversize-request-components.html

Hope it helps


profile pictureAWS
answered a year ago
  • Hi, I have also experienced this phenomenon. I couldn't find a Q&A on this phenomenon anywhere and came across it here. I tried your answer, but the "413 (Payload Too Large)" error continued to occur. Is there anything wrong with the following that I have tried?

    Creating a custom rule to AWS WAF  Field to match: Body  Match type: Size greater than  Size: 16,384  Text transformations: None (Priority 0)  Oversize handling: Continue  Action: Count

    WAF also has a custom rule for Block with Action after Priority 1.


Hello. We believe this issue has been resolved at this time.

I have contacted AWS technical support regarding this issue and they have responded that they are already aware of this bug issue and will be working on a fix.

I believe this bug has been fixed as I have now tried and could not reproduce it.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions