For a PWA of my own, I use
- lots of tiny .mjs files as dynamic imports
- lots of tiny .html files
- lots of tiny .css files
All of them are prefetched, then just-in-time parsed and executed (lazy load / PRPL pattern).
I implemented HTTP2 prefetches + a hash-based CSP.
I noticed that I cannot activate both HTTP2 prefetches AND the hash-based CSP.
If I do so, the page load is like running forever.
To make the page work, I have to choose :
Either HTTP2 prefetches OR Either the hash-based CSP.
This feels not acceptable.
I was wondering why. I copied the expected headers in a .txt file. I wanted to assess the headers size. I found that the file size slighly exceeded 16 KB.
The current limit for headers total size seems to be 16 KB.
Given the general trend to split code into lots small files, all the new headers that are created every year (looking at you COEP), the increasingly need for more speed AND security, and the fact that in HTTP2 headers, as in hash-based CSP, you have to enumerate those files (and trust me, these lists can be quite verbose because each file with a hash in its name appears x2, both in prefetches and in the hashed-based CSP), 16 KB as a total headers size seems not enough to fit both today & tomorrow needs.
Please increase the limit for headers total size to 512 KB.
This way CloudFlare Workers can handle plenty of headers.