- Property Manager name: Strict Header Parsing
- Behavior version: The
v2022-10-18
rule format supports thestrictHeaderParsing
behavior v1.0. - Rule format status: Deprecated, outdated rule format
- Access: Read-write
- Allowed in includes: Yes
This behavior specifies how the edge servers should handle requests containing improperly formatted or invalid headers that don’t comply with RFC 9110.
Some clients may send invalid or incorrectly-formatted, non-RFC-compliant request headers. If such requests reach the origin server, this vulnerability can be exploited by a “bad actor”, for example to poison your cache and cause invalid content to be returned to your end users. Use Strict Header Parsing to tell the edge servers what requests to reject, independently of the Akamai platform's default behavior. Therefore, you may either get the protection earlier than the global customer base or defer changes to a later time, though not recommended. Note that the two modes are independent – each of them concerns different issues with the request headers. For both options, a warning is written to the edge server logs whether the option is enabled or disabled.
As Akamai strives to be fully RFC-compliant, you should enable both options as best practice.
Enabling both options ensures that Akamai edge servers reject requests with invalid headers and don’t forward them to your origin. In such cases, the end user receives a 400 Bad Request HTTP response code.
Option | Type | Description | Requires | |
---|---|---|---|---|
enabled | boolean | When enabled, the edge servers reject requests with non-compliant headers, responding with a 400 status code. When disabled, the edge servers apply the default platform settings, allowing requests with the non-compliant headers. | {"displayType":"boolean","tag":"input","type":"checkbox"} |