Back to Doc.qt.io
Contact Us Blog Download Qt
On this page

Qt HTTP Server Security Considerations

Overview

Qt HTTP Server provides several configuration settings to help protect an application against misuse scenarios such as malformed requests or unauthorized access. Qt 6.10 added several security configuration settings. This page summarizes recommended configurations and explains when and how to use them.

Warning: Do not expose Qt HTTP Server directly to the internet. Qt HTTP Server is not hardened against network-based attacks.

Network setups and configurations

Here are different ways to set up a network with a Qt HTTP Server.

No internet access

Ideally there should be no access to the internet at all. This is the safest setup, but you often need internet access. If Qt HTTP Server is bound to localhost or to a QLocalServer, it does not accept connections from the internet. If multiple clients are connected to 127.0.0.1, the connections are added to connections per host, and setMaximumConnectionsPerHost() is affected. By default, no per-host connection limit is set.

Binding to QSslServer on the internet

It is possible, but not supported to bind the Qt HTTP Server to a QSslServer that is bound to a network interface that is reachable from the internet. Despite all the options in QHttpServerConfiguration, this setup is not supported because Qt HTTP Server is not sufficiently hardened.

Application setup

If using a thread pool, make sure it is not so large that the server cannot handle simultaneous, resource-intensive incoming requests. Though the route() call makes parsing from the URL in the HTTP requests easy, it is the developer's responsibility to handle input validation.

Qt HTTP Server security configuration

Configure Qt HTTP Server through the QHttpServerConfiguration class. Adjust the limits based on your platform's capabilities and network setup.

Rate limits

  • Configure the maximum number of requests per second per client IP using setRateLimitPerSecond(). By default, there is no rate limit. When the limit is exceeded, the server responds with status code 429 (Too Many Requests).
  • Configure the maximum number of simultaneous connections using setMaximumConnections(). By default, there is no connection limit. When the limit is exceeded, the server responds with status code 429 (Too Many Requests), and the connection is closed.
  • Configure the maximum number of simultaneous connections per client IP using setMaximumConnectionsPerHost(). By default, there is no limit. When the limit is exceeded, the server responds with status code 429 (Too Many Requests), and the connection is closed.

Connection limits

  • Configure the maximum idle time for keep-alive connections using setKeepAliveTimeout(). By default, the timeout is 15 seconds.

Allowlisting and denylisting

  • Configure the list of client subnets that are allowed to access the server using setWhitelist(). By default, the allowlist is empty, and all clients are allowed. If the allowlist is not empty, only addresses in this list are accepted. The allowlist is checked before the denylist.
  • Configure the denied client subnets using setBlacklist(). The denylist is only applied when the allowlist is empty. By default, the denylist is empty.

Request size limits

  • Configure the maximum URL size using setMaximumUrlSize(). If the limit is exceeded, the server responds with HTTP status code 414 (Request-URI Too Long). The default maximum URL size is 64 KiB.
  • Configure the maximum total size of all HTTP request headers using setMaximumTotalHeaderSize(). If the limit is exceeded, the server responds with HTTP status code 431 (Request Header Fields Too Large). The default total header size is 64 KiB.
  • Configure the maximum size of a single HTTP header field using setMaximumHeaderFieldSize(). If the limit is exceeded, the server responds with HTTP status code 431 (Request Header Fields Too Large). The default maximum header field size is 48 KiB.
  • Configure the maximum number of HTTP header fields per request using setMaximumHeaderFieldCount(). If the limit is exceeded, the server responds with HTTP status code 431 (Request Header Fields Too Large). The default maximum header field count is 128.
  • Configure the maximum request body size using setMaximumBodySize(). If the limit is exceeded, the server responds with HTTP status code 413 (Content Too Large). The default maximum body size is 32 MiB.

Note: Always use the latest security updates for Qt and all dependent libraries.

© 2026 The Qt Company Ltd. Documentation contributions included herein are the copyrights of their respective owners. The documentation provided herein is licensed under the terms of the GNU Free Documentation License version 1.3 as published by the Free Software Foundation. Qt and respective logos are trademarks of The Qt Company Ltd. in Finland and/or other countries worldwide. All other trademarks are property of their respective owners.