Limitations

The following headers are not accessible within a Function. Avoid developing any code that depends on these headers or their variants.

You cannot interact with the pre-flight OPTIONS request that is sent by browsers. The Runtime client will automatically respond to OPTIONS requests with Access-Control-Allow-Headers: *, and pass along all included request headers to the targeted Function (unless they are in the exclusions list above). In addition, the Runtime client allows all origins by returning Access-Control-Allow-Origin: *.

Headers and cookies in both incoming requests and outgoing responses are subject to these limits:

• Max header size: 15kb (including cookies)
• Max header count: 90 (including cookies)

If either of these limits is exceeded, your Function will throw a 431 error. The error will include the message Request headers or cookies too long if the limits are exceeded by a request, or Response headers or cookies too long if you've constructed a response that exceeds these limits.

This will also generate a Twilio Error 82008.

• Runtime automatically adds the HttpOnly and Secure attributes to your cookies by default, unless you manually set those values.
• You cannot manually set the value of the Domain attribute on a cookie. The value will be removed and set to the domain of the Function creating the response.
• If you do not set a Max-Age or Expires on a cookie, it will be considered a Session cookie.
• If you set both Max-Age and Expires on a cookie, Max-Age takes precedence.
• If you set the Max-Age or Expires of a cookie to greater than 24 hours, your Function will return a 400 error with the message Cookies max-age cannot be greater than a day.