Protocol Downgrade

If you're incorporating Standard TLS or ​Akamai​'s shared certificate delivery security (HTTPS L1), you may want to apply HTTPS to the request from the client to our Edge servers, but "downgrade" the connection to HTTP-only between ​Akamai​ and your origin. We refer to this as "Protocol Downgrade."


Are you using NetStorage?

If you're using NetStorage as your origin server in your Object Delivery property, Protocol Downgrade does not apply.


The secure HTTPS connection starts with the client that accesses our Edge servers, where your Object Delivery property is read and processed. However, you serve an HTTP connection when delivering content from your origin to the client.

You might need Protocol Downgrade in your environment if either of the following applies:

  • You haven't upgraded your origin to support secure connections. (Or, you don't want to.)

  • You want to avoid the overhead associated with secure sockets layer (SSL) when serving non-personally identifiable information (PII) assets.

To implement this, we offer the Protocol Downgrade (HTTPS Downgrade to Origin) behavior that can be applied to your Object Delivery property.

Important features and limitations

Before you set up this behavior, review the points here to familiarize yourself with its various features and limitations.

  • Secure (HTTPS) hostnames, only: This behavior requires secure certificate delivery (HTTPS). However, Enhanced TLS (L3) certificate security is not supported. (The legacy "Protocol Downgrade" behavior supports it.) This behavior is only supported for use with the following:

    • Standard TLS (L1) Certificate
    • Shared Certificate hostname
  • A downgrade is restricted to GET, HEAD, and OPTIONS methods.

  • This behavior does not allow whole site downgrades. For example, you can't use this behavior to downgrade delivery of the full site, from your origin.

  • There are no limits on downgrade based on file extension. We don't limit the downgrade of specific file types.

  • This behavior does not trim query strings on a downgrade. If your origin delivers assets that incorporate query strings, they're left as is.

  • You can include all headers in a downgraded request, except these:

    • Origin
    • Referer
    • Cookie
    • Cookie2
    • sec-*
    • proxy-*

How do I get the Protocol Downgrade (HTTPS Downgrade to Origin) behavior?

You need to have this added to your contract to access the appropriate behavior in Property Manager. Contact your Account Representative to add this functionality.