diff --git a/src/connections.c b/src/connections.c
index 4c8d6a3e..fa6df0ee 100644
--- a/src/connections.c
+++ b/src/connections.c
@@ -64,7 +64,7 @@ static int connection_del(server *srv, connection *con) {
 
 	if (-1 == con->ndx) return -1;
 
-	buffer_reset(con->uri.authority);
+	buffer_clear(con->uri.authority);
 	buffer_reset(con->uri.path);
 	buffer_reset(con->uri.query);
 	buffer_reset(con->request.orig_uri);
@@ -619,18 +619,19 @@ int connection_reset(server *srv, connection *con) {
 
 	/* CLEAN(request.orig_uri); */
 
-	CLEAN(uri.scheme);
-	/* CLEAN(uri.authority); */
 	/* CLEAN(uri.path); */
 	CLEAN(uri.path_raw);
 	/* CLEAN(uri.query); */
 
 	CLEAN(parse_request);
 
-	CLEAN(server_name);
-	/*CLEAN(proto);*//* set to default in connection_accepted() */
 #undef CLEAN
 
+	buffer_clear(con->uri.scheme);
+	/*buffer_clear(con->proto);*//* set to default in connection_accepted() */
+	/*buffer_clear(con->uri.authority);*/
+	buffer_clear(con->server_name);
+
 	con->request.http_host = NULL;
 	con->request.content_length = 0;
 	con->request.te_chunked = 0;
@@ -1126,7 +1127,7 @@ int connection_state_machine(server *srv, connection *con) {
 
 			break;
 		case CON_STATE_REQUEST_END: /* transient */
-			buffer_reset(con->uri.authority);
+			buffer_clear(con->uri.authority);
 			buffer_reset(con->uri.path);
 			buffer_reset(con->uri.query);
 			buffer_reset(con->request.orig_uri);
diff --git a/src/mod_openssl.c b/src/mod_openssl.c
index adde436c..109808bd 100644
--- a/src/mod_openssl.c
+++ b/src/mod_openssl.c
@@ -327,6 +327,7 @@ network_ssl_servername_callback (SSL *ssl, int *al, server *srv)
     const char *servername;
     handler_ctx *hctx = (handler_ctx *) SSL_get_app_data(ssl);
     connection *con = hctx->con;
+    size_t len;
     UNUSED(al);
 
     buffer_copy_string(con->uri.scheme, "https");
@@ -340,8 +341,14 @@ network_ssl_servername_callback (SSL *ssl, int *al, server *srv)
 #endif
         return SSL_TLSEXT_ERR_NOACK;
     }
+    len = strlen(servername);
+    if (len >= 1024) { /*(expecting < 256)*/
+        log_error_write(srv, __FILE__, __LINE__, "sss", "SSL:",
+                        "SNI name too long", servername);
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
+    }
     /* use SNI to patch mod_openssl config and then reset COMP_HTTP_HOST */
-    buffer_copy_string(con->uri.authority, servername);
+    buffer_copy_string_len(con->uri.authority, servername, len);
     buffer_to_lower(con->uri.authority);
 
     con->conditional_is_valid[COMP_HTTP_SCHEME] = 1;
@@ -350,7 +357,7 @@ network_ssl_servername_callback (SSL *ssl, int *al, server *srv)
     /* reset COMP_HTTP_HOST so that conditions re-run after request hdrs read */
     /*(done in response.c:config_cond_cache_reset() after request hdrs read)*/
     /*config_cond_cache_reset_item(con, COMP_HTTP_HOST);*/
-    /*buffer_reset(con->uri.authority);*/
+    /*buffer_clear(con->uri.authority);*/
 
     if (NULL == hctx->conf.ssl_pemfile_x509
         || NULL == hctx->conf.ssl_pemfile_pkey) {
diff --git a/src/request.c b/src/request.c
index a540f733..f2d3c527 100644
--- a/src/request.c
+++ b/src/request.c
@@ -348,10 +348,6 @@ int http_request_host_policy (connection *con, buffer *b, const buffer *scheme)
                 && 0 != http_request_host_normalize(b, scheme_port(scheme))));
 }
 
-#if 0
-#define DUMP_HEADER
-#endif
-
 static int http_request_split_value(array *vals, const char *current, size_t len) {
 	int state = 0;
 	const char *token_start = NULL, *token_end = NULL;
@@ -468,6 +464,14 @@ static int parse_single_header(server *srv, connection *con, parse_header_state
       case HTTP_HEADER_HOST:
         if (!(con->request.htags & HTTP_HEADER_HOST)) {
             saveb = &con->request.http_host;
+            if (vlen >= 1024) { /*(expecting < 256)*/
+                if (srv->srvconf.log_request_header_on_error) {
+                    log_error_write(srv, __FILE__, __LINE__, "s", "uri-authority too long -> 400");
+                    log_error_write(srv, __FILE__, __LINE__, "Sb",
+                                    "request-header:\n", con->request.request);
+                }
+                return 0; /* invalid header */
+            }
         }
         else if (state->reqline_host) {
             /* ignore all Host: headers as we got Host in request line */
@@ -867,6 +871,14 @@ static size_t http_request_parse_reqline(server *srv, connection *con, parse_hea
 
 	if (state->reqline_host) {
 		/* Insert as host header */
+		if (state->reqline_hostlen >= 1024) { /*(expecting < 256)*/
+			if (srv->srvconf.log_request_header_on_error) {
+				log_error_write(srv, __FILE__, __LINE__, "s", "uri-authority too long -> 400");
+				log_error_write(srv, __FILE__, __LINE__, "Sb",
+						"request-header:\n", con->request.request);
+			}
+			return 0;
+		}
 		http_header_request_set(con, HTTP_HEADER_HOST, CONST_STR_LEN("Host"), state->reqline_host, state->reqline_hostlen);
 		con->request.http_host = http_header_request_get(con, HTTP_HEADER_HOST, CONST_STR_LEN("Host"));
 	}