Validation errors

The tables in this section provide details for many of the errors you may encounter, along with the HTTP status codes they share. Note that this is not an exhaustive listing. Each problem object's type member corresponds to items listed in the tables below. Problem types reported in HTTP error responses follow this URL pattern, where the type identifier may include an additional slash character:

https://problems.luna.akamaiapis.net/papi/{version}/{type}

URLs for many problem types included within rule tree and property hostname response objects are formed with an additional validation component:

https://problems.luna.akamaiapis.net/papi/{version}/validation/{type}

For more information about blocking and non-blocking validation issues, see Rule tree errors and warnings.

Property hostnames

An additional set of errors may be listed within hostname objects that prevent you from activating the property version:

TypeProblem
generic_‚Äčbehavior_‚Äčissue.origin_‚Äčname_‚Äčhostname_‚ÄčoverlapAn origin may not specify the same hostname as a property.
hostnames.bad_‚Äčhostname_‚ÄčformatThe hostname isn't formatted properly.
hostnames.disallowed_‚Äčakamaihd_‚Äčdot_‚Äčnet_‚ÄčhostnameThe AkamaiHD hostname is invalid. The prefix for a.akamaihd.net has a maximum 16 alphanumeric and underscore characters.
hostnames.disallowed_‚Äčakamaized_‚Äčdot_‚Äčnet_‚ÄčhostnameThe hostname may not specify akamaized.net.
hostnames.dualstack_‚Äčdissuasion_‚ÄčwarningMake sure your origin can handle IPv6 traffic.
hostnames.duplicate_‚ÄčhostnameThe hostname is listed more than once.
hostnames.empty_‚ÄčhostnamesSpecify at least one property hostname.
hostnames.empty_‚Äčstring_‚ÄčhostnameThe hostname may not be empty.
hostnames.enhancedtls_‚Äčmodule_‚Äčstandard_‚ÄčcertYour contract features the Enhanced TLS module, but the property hostname uses a standard certificate, a potential PCI violation.
hostnames.hostname_‚Äčcontains_‚ÄčunderscoreAvoid underscore characters in hostnames, which may cause problems for some DNS resolvers.
hostnames.hostname_‚Äčoverlapping_‚ÄčcertsSome domains are covered by both Enhanced TLS and Standard TLS certificates. Avoid this unless you're migrating properties.
hostnames.insecure_‚Äčmodule_‚Äčstandard_‚ÄčcertYour contract requires the Standard TLS module to select a hostname with a standard certificate.
hostnames.insecure_‚Äčproperty_‚Äčsecure_‚Äčedge_‚ÄčhostnameAn Enhanced TLS edge hostname is incompatible with your non-secure property.
hostnames.max_‚Äčhostnames_‚Äčlimit_‚ÄčhardYou have reached the maximum number of hostnames per property. Either reconfigure using the instantConfig behavior, split your hostnames across more than one property, or consult with your account representative.
hostnames.max_‚Äčhostnames_‚Äčlimit_‚ÄčsoftYou have exceeded the optimal number of hostnames per property. Either reconfigure using the instantConfig behavior, split your hostnames across more than one property, or consult with your account representative.
hostnames.mdc_‚Äčsubdomain_‚ÄčprefixThe hostname is formatted incorrectly, and can't begin with a hyphen.
hostnames.missing_‚ÄčedgehostnameA property hostname needs to reference a corresponding edge hostname.
hostnames.non_‚Äčenhancedtls_‚Äčmodule_‚Äčenhanced_‚ÄčcertYour contract requires the Enhanced TLS module to select a hostname with an enhanced certificate.
hostnames.secure_‚Äčproperty_‚Äčinsecure_‚Äčedge_‚ÄčhostnameA Standard TLS edge hostname is incompatible with your secure property.
hostnames.secure_‚Äčproperty_‚Äčinsecure_‚Äčedge_‚Äčhostname_‚Äčshared_‚ÄčcertAn edge hostname is incompatible with your secure property.
hostnames.secure_‚Äčproperty_‚Äčwithout_‚Äčsecure_‚ÄčmodulesYour contract requires secure modules to deploy a secure property.
hostnames.shared_‚Äčcert_‚Äčsubdomain_‚ÄčprefixThe hostname is formatted incorrectly, and can't begin with a hyphen.
hostnames.unknown_‚Äčedge_‚ÄčhostnameThe edge hostname is unavailable, and may not exist.

Rules, behaviors, and criteria

These general errors relate to how you implement behaviors and criteria. They may be listed within rule trees, and may prevent you from activating the property version:

TypeProblem
compatible_‚ÄčbehaviorsRules include incompatible behaviors.
condition_‚Äčno_‚Äčprompt_‚ÄčupgradeYou must upgrade to a new version of a criteria.
deprecatedThe behavior has been deprecated.
deprecated_‚ÄčdeleteThe behavior has been removed.
deprecated_‚ÄčreadonlyThe behavior has been deprecated.
duplicate_‚ÄčfeatureTwo behaviors of the same type are inappropriately placed within the same rule.
feature_‚Äčno_‚Äčprompt_‚ÄčupgradeA new version of the behavior is available, requiring an upgrade.
feature_‚Äčupgrade_‚ÄčrequiredThe property needs to be upgraded to replace a deprecated behavior.
feature_‚Äčupgrade_‚Äčrequired_‚ÄčreadonlyThe property needs to be upgraded to replace a deprecated behavior, but this version can't be edited. Create a new version if necessary.
feature_‚Äčupgrade_‚Äčrequired_‚ÄčviewonlyA new version of the behavior is available, requiring an upgrade.
generic_‚Äčbehavior_‚Äčissue.kss_‚Äčnot_‚ÄčobjectA new version of the behavior is available that may require a different set of options.
generic_‚Äčbehavior_‚Äčissue.netstorage_‚Äčgroup_‚Äčnot_‚ÄčavailableA specified NetStorage account isn't assigned to this property's group.
generic_‚Äčbehavior_‚Äčissue.origin_‚Äčmissing_‚Äčauxlist_‚ÄčsubtitleYour auxiliary certificate list specifies trusted items not reflected in what your origin behavior specifies. Confirm they're accurate, and contact your account team if there's a problem.
generic_‚Äčbehavior_‚Äčissue.origin_‚Äčmissing_‚Äčtrust_‚Äčca_‚Äčcerts_‚Äčfrom_‚ÄčunderrideYour auxiliary certificate list specifies trusted items not reflected in what your origin behavior specifies. Confirm they're accurate, and contact your account team if there's a problem.
generic_‚Äčbehavior_‚Äčissue.origin_‚Äčmissing_‚Äčtrust_‚Äčcerts_‚Äčfrom_‚ÄčunderrideYour auxiliary certificate list specifies trusted items not reflected in what your origin behavior specifies. Confirm they're accurate, and contact your account team if there's a problem.
generic_‚Äčbehavior_‚Äčissue.origin_‚Äčvalid_‚Äčcn_‚Äčmissing_‚Äčvalues_‚Äčfrom_‚Äčunderride_‚ÄčerrorThe origin behavior's customValidCnValues option is missing CN/SAN match values from the auxiliary certificates list, so an ordinarily trusted certificate may not be trusted, and may result in a service outage.
generic_‚Äčbehavior_‚Äčissue.origin_‚Äčvalid_‚Äčcn_‚Äčmissing_‚Äčvalues_‚Äčfrom_‚Äčunderride_‚ÄčwarningConfirm the origin behavior's customValidCnValues option includes all CN/SAN values from the auxiliary certificates list.
generic_‚Äčbehavior_‚Äčissue.origin_‚Äčvalid_‚Äčcn_‚ÄčwildcardValues in the origin behavior's customValidCnValues option may contain a star (*) character, but it's interpreted literally.
incompatible_‚ÄčconditionThere's an incompatibility with a specific criteria within the same rule.
incompatible_‚ÄčfeaturesThere's an incompatibility with a specific behavior within the same rule.
incompatible_‚Äčstages.multipleThere's an incompatibility with a set of match criteria.
incompatible_‚Äčstages.noneThere's an incompatibility with a criteria in a parent rule.
incompatible_‚Äčstages.oneThere's an incompatibility with a criteria that appears in the same rule.
required_‚ÄčfeatureThe default rule requires a behavior for the property to work.
too_‚Äčmany_‚ÄčinstancesThere are more instances of the specified behavior than allowed within a property.
unknown_‚ÄčconditionThe criteria isn't supported, and you need to remove it before activating your property.
unknown_‚ÄčfeatureThe behavior isn't supported, and you need to remove it before activating your property.
unknown_‚Äčfeature_‚ÄčattributeThe behavior or criteria specifies an unknown option.

Option values

These errors may be listed within rule trees, and may prevent you from activating the property version:

TypeProblem
generic_‚Äčbehavior_‚Äčissue.table_‚Äčoption_‚Äčdup_‚ÄčrowThe option specifies duplicated items.
illegal_‚Äčoption_‚Äčvalue_‚Äčformat.featuresA behavior option's data type is invalid.
illegal_‚Äčoption_‚Äčvalue_‚Äčformat.matchesA criteria option's data type is invalid.
insecure_‚Äčstring_‚ÄčvalueOption values may not specify %( text.
non_‚ÄčasciiThe option specifies non-ASCII characters.
option_‚ÄčemptyThe option may not specify an empty value.
option_‚Äčrequired.featuresThe behavior is missing a required option.
option_‚Äčrequired.matchesThe criteria is missing a required option.
option_‚Äčrequired_‚Äčwhen.featuresThe behavior is missing an option that's required when another of its options is set to a specific value.
option_‚Äčrequired_‚Äčwhen.matchesThe criteria is missing an option that's required when another of its options is set to a specific value.

Variables

These errors may be listed within rule trees, and may prevent you from activating the property version:

TypeProblem
cannot_‚ÄčvalidateThe option can't be validated because the value of its embedded variable can only be known at runtime.
duplicate_‚ÄčvariableThere's more than one declared variable with the same name.
empty_‚Äčvariable_‚ÄčnameThe name of the variable can't be empty.
internal_‚Äčvariable_‚Äčin_‚ÄčxmlAn advanced behavior specifies a variable that uses a reserved prefix.
no_‚Äčvariable_‚ÄčsupportYour contract doesn't support use of variables.
syntax_‚Äčerror_‚Äčin_‚Äčvariable_‚Äčexpression.illegal_‚ÄčexpressionThere's a format error in a variable expression.
syntax_‚Äčerror_‚Äčin_‚Äčvariable_‚Äčexpression.illegal_‚ÄčprefixThere's an illegal prefix in a variable expression.
syntax_‚Äčerror_‚Äčin_‚Äčvariable_‚Äčexpression.missing_‚Äčend_‚ÄčtokenThere's a missing end token in a variable expression.
unknown_‚Äčvariable_‚ÄčnameAn undeclared variable name was invoked.

Metadata

These errors may be listed within rule trees, and may prevent you from activating the property version:

TypeProblem
advanced_‚Äčoverride_‚Äčbadly_‚Äčformatted_‚ÄčxmlThe advanced override metadata features invalid XML.
advanced_‚Äčoverride_‚Äčmetadata_‚ÄčenabledA rule specifies advanced metadata that potentially overrides other configurations specified in previous rules.
badly_‚Äčformatted_‚ÄčxmlThe behavior specifies invalid XML metadata.
conflicting_‚ÄčxmlA behavior may not work as expected because advanced metadata may cause conflicts.

Contracts, accounts, and CP codes

These errors may be listed within rule tree or hostname objects, and may prevent you from activating the property version:

TypeProblem
advanced_‚Äčcpcodes_‚Äčoutside_‚Äčaccount_‚Äčcp_‚Äčvalidated_‚ÄčfalseThe property invokes a CP code not provisioned under this account, and Origin Domains will be enforced. Contact your account representative for more information.
advanced_‚Äčcpcodes_‚Äčoutside_‚Äčaccount_‚Äčcp_‚Äčvalidated_‚ÄčtrueThe property invokes a CP code not provisioned under this account, and Origin Domain enforcement is disabled. Choose different CP codes, or move them into the current account.
advanced_‚Äčcpcodes_‚Äčoutside_‚Äčgroup_‚Äčor_‚ÄčcontractThe property invokes a CP code that doesn't belong to its group or contract.
fixed_‚Äčlimit_‚ÄčexceededA limit has been exceeded for the property.
generic_‚Äčbehavior_‚Äčissue.cpcode_‚Äčcreated_‚ÄčrecentlyThe property invokes a recently created CP code that may not have fully propagated across the network. Activating the property version may disrupt your service.
generic_‚Äčbehavior_‚Äčissue.cpcode_‚Äčnot_‚ÄčavailableThe specified CP code can't be used with this property. If you just created the CP code, try again later.
limit_‚Äčkey.elements_‚Äčper_‚ÄčpropertyThe property exceeds the number of allowed behaviors and criteria.
limit_‚Äčkey.max_‚Äčnested_‚ÄčrulesThe property exceeds the number of nested rules allowed.
not_‚Äčgranted_‚Äčby_‚Äčmodules_‚Äčon_‚ÄčcontractYour current contract doesn't include a necessary module.
not_‚Äčgranted_‚Äčby_‚Äčmodules_‚Äčon_‚Äčcontract_‚ÄčreadonlyYour current contract doesn't include a necessary module.
product_‚Äčbehavior_‚Äčissue.cpcode_‚Äčincorrect_‚ÄčproductThe CP code isn't configured for use with this property's product, which may affect how traffic is reported.
product_‚Äčnot_‚Äčon_‚ÄčcontractThe product isn't available on your contract. Add the product to the contract, or switch the property to a different product or contract.

Match-specific

These errors relate to how specific match criteria execute. They may be listed within rule trees, and may prevent you from activating the property version.

TypeProblem
cloudlets_‚Äčorigin_‚ÄčgroupFor cloudletsOrigin criteria to work, there must be an allowCloudletsOrigins placed within a parent rule.
general_‚ÄčwarningThe criteria match may negatively affect performance. Test thoroughly on staging before deploying to production.
incompatible_‚Äčorigin_‚ÄčtypeThe cloudletsOrigin criteria only works when the origin behavior's originType is set to CUSTOMER, NET_STORAGE, or APPLICATION_LOAD_BALANCER.
incompatible_‚Äčwith_‚Äčany_‚ÄčconditionsSpecifying cloudletsOrigin along with any other criteria may make the origin inaccessible during a client request.
need_‚ÄčallowpatchTo use requestMethod to match PATCH requests, you need to enable the allowPatch behavior.
need_‚ÄčallowpostTo use requestMethod to match POST requests, you need to enable the allowPost behavior.
need_‚Äčtoken_‚Äčverify_‚ÄčbehaviorThe tokenAuthorization match requires a verifyTokenAuthorization behavior in a parent rule with its failureResponse option disabled.
need_‚ÄčwebdavTo use requestMethod to match the specified method, you need to enable the webdav behavior.
onlyonedgeCriteria such as clientIp, clientIpVersion, userLocation, and userNetwork only match on edge servers, not when requests are forwarded to other Akamai servers. Contact your Akamai representative for guidance.
options_‚Äčwith_‚ÄčwebdavRequests that specify the OPTIONS method are always passed to the origin, so you can't use requestMethod to match them.
origin_‚Äčis_‚ÄčrequiredThe cloudletsOrigin behavior must be paired with an origin behavior.
purge_‚ÄčwarningThe requestMethod match on AKAMAI_PURGE or AKAMAI_TRANSLATE values requires familiarity with Akamai's edge content purge system. Test thoroughly on staging before deploying to production.
requires_‚ÄčspdyThe bucket criteria can only be used along with the spdy behavior.
should_‚Äčvary_‚Äčby_‚Äčuser_‚ÄčagentWhen modifying content based on the deviceCharacteristic, you should use the modifyOutgoingResponseHeader behavior to specify a Vary: User-Agent header.
suggest_‚ÄčaudiencesegmentationRather than randomly segmenting your traffic, consider applying audienceSegmentation to divide users into different groups based on a persistent cookie.
upper_‚Äčlower_‚ÄčwarningThe match specifies a lowerBound value that's greater than the upperBound.
warn_‚Äčuse_‚ÄčheadersRequests that don't include an X-Forwarded-For header don't match. Consider disabling the useOnlyFirstXForwardedForIp option.

Behavior-specific

These errors relate to how specific behaviors execute. They may be listed within rule trees, and may prevent you from activating the property version.

TypeProblem
206overrideThe responseCode behavior's 206override option allows the 206 response to be overwritten, not recommended because it applies to byte-range responses. Confirm you want to do this, and contact your Akamai representative for guidance.
advanced_‚Äčon_‚Äčimage_‚Äčmanagement_‚ÄčoffThe imageManager behavior is configured to use a custom policy, but the behavior is disabled, so it has no effect.
advanced_‚Äčon_‚ÄčwarningWhen overriding the default policy, if the specified policyToken isn't found, imageManager applies the default and doesn't save the one you specified.
applicationloadbalancer_‚ÄčneededFor an APPLICATION_LOAD_BALANCER origin to work, an applicationLoadBalancer behavior must also be enabled.
aws_‚Äčverificationmode_‚ÄčvalidationTo set a third-party origin hostname, set the verificationMode to THIRD_PARTY or CUSTOM.
basic_‚Äčredirect_‚ÄčconflictYou can't specify both the redirect and redirectplus behaviors.
beware_‚Äčof_‚ÄčconditionsA behavior that implements a persistent connection may mean that a specified condition no longer works.
cache_‚Äčkey_‚Äčcase_‚Äčoff_‚Äčext_‚Äčcase_‚ÄčonWith cacheKeyIgnoreCase enabled, you shouldn't specify a case-sensitive match, otherwise two different requests that vary only by case may get different results, even though they refer to the same cached object.
cache_‚Äčkey_‚Äčcase_‚Äčoff_‚Äčfilename_‚Äčcase_‚ÄčonWith cacheKeyIgnoreCase enabled, you shouldn't specify a case-sensitive match, otherwise two different requests that vary only by case may get different results, even though they refer to the same cached object.
cache_‚Äčkey_‚Äčcase_‚Äčoff_‚Äčpath_‚Äčcase_‚ÄčonWith cacheKeyIgnoreCase enabled, you shouldn't specify a case-sensitive match, otherwise two different requests that vary only by case may get different results, even though they refer to the same cached object.
cache-key-query-paramsSince NET_STORAGE origin servers don't honor query strings, set cacheKeyQueryParams to IGNORE_ALL to avoid more than cache key for the same object.
cachingYou're potentially caching content identified as personallyIdentifiableInformation, so you should set the caching behavior to NO_STORE or BYPASS_CACHE.
caching_‚ÄčbypassThe specified behavior only applies to cacheable content, not when caching is set to NO_STORE or BYPASS_CACHE.
caching_‚ÄčenabledThe sureRoute behavior only applies when caching is set to NO_STORE.
caching_‚ÄčmaxageFor best performance when using a NET_STORAGE origin, set the caching ttl to over 10 minutes.
can_‚Äčnot_‚Äčmix_‚Äčdelegate_‚Äčand_‚ÄčcustomYou can't specify more than one origin behavior with a verificationMode of both PLATFORM_SETTINGS and CUSTOM.
centralauthA NET_STORAGE origin can't be used along with centralAuthorization.
changing_‚Äčcpcode_‚ÄčwarningCP codes specified by imageManager affect cached images. If you change the CP codes after deploying the images in a production environment, image caches get refreshed, which may overload your origin.
conflict_‚ÄčdscachingApplying a behavior that modifies Cache-Control or Expires headers may interfere with caching when both are applied to the same request.
cookie_‚Äčvalue_‚Äčempty_‚Äčneed_‚Äčto_‚Äčdisable_‚Äčsession_‚ÄčpersistenceThe edgeLoadBalancingOrigin behavior's enableSessionPersistence is on, but edgeLoadBalancingDataCenter is missing a cookieName.
cookie_‚Äčvalue_‚Äčset_‚Äčneed_‚Äčto_‚Äčenable_‚Äčsession_‚ÄčpersistenceThe edgeLoadBalancingOrigin behavior's enableSessionPersistence is off, but edgeLoadBalancingDataCenter specifies a cookieName that doesn't work.
cpcode_‚Äčbehavior_‚Äčnot_‚ÄčallowedThe cpCode behavior can't appear within the same rule as imageManager, which specifies its own CP code settings.
customer_‚ÄčoriginIf the origin server doesn't support etags, the largeFileOptimization behavior may not work correctly, and data may be corrupted.
disable_‚ÄčgzipWhen enabling edgeSideIncludes, don't set gzipResponse to ALWAYS work, otherwise content goes through compression and decompression unnecessarily.
dontallow_‚ÄčcachingThe downgradeProtocol behavior isn't allowed when caching is set to NO_STORE or BYPASS_CACHE.
dontallow_‚ÄčdeleteThe downgradeProtocol behavior isn't allowed along with allowDelete.
dontallow_‚ÄčmodoutgoingreqheaderThe downgradeProtocol behavior isn't allowed along with modifyOutgoingRequestHeader.
dontallow_‚ÄčpiiThe downgradeProtocol behavior isn't allowed for content marked as personallyIdentifiableInformation.
dontallow_‚ÄčpostThe downgradeProtocol behavior isn't allowed along with allowPost.
dontallow_‚ÄčputThe downgradeProtocol behavior isn't allowed along with allowPut.
downstream_‚ÄčbustThe shutr behavior busts downstream caches to prevent non-Akamai proxies from tampering with content. If downstreamCache is set to values other than BUST, shutr overrides it.
downstream_‚Äčcaching_‚ÄčindeterminateA specified behavior may expose content identified as personallyIdentifiableInformation. You should set a downstreamCache to BUST the cache, or ALLOW it but with sendPrivate enabled.
downstream_‚Äčcaching_‚Äčwithout_‚ÄčprivateA specified behavior may expose content identified as personallyIdentifiableInformation. You should set a downstreamCache to BUST the cache, or ALLOW it but with sendPrivate enabled.
elb_‚Äčmust_‚Äčuse_‚Äčother_‚ÄčcnWhen using an EDGE_LOAD_BALANCING_ORIGIN_GROUP origin, you can't specify {{Origin Hostname}} in the customValidCnValues.
elb_‚Äčorigin_‚Äčdefinition_‚ÄčneededTo specify an origin of EDGE_LOAD_BALANCING_ORIGIN_GROUP, you also need to enable an edgeLoadBalancingOrigin behavior that defines the origin.
elb_‚Äčorigin_‚ÄčmissingAn edgeLoadBalancingAdvanced behavior requires an accompanying edgeLoadBalancingOrigin.
empty_‚Äčcookie_‚Äčvalue_‚Äčand_‚Äčfailover_‚ÄčrulesThe edgeLoadBalancingDataCenter is invalid because its cookie value is empty and enableFailover is turned off.
extension_‚Äčmatch_‚ÄčadvisedTo apply this behavior to large files, you should match the fileExtension or otherwise avoid applying the behavior to small files, for which it may cause a delay.
filename_‚Äčmatch_‚ÄčadvisedYou should enable limitBitRate with a filename, fileExtension, or path match.
g2o_‚Äčmodoutgoing_‚ÄčwarningYou can't use modifyOutgoingResponseHeader to modify the X-Akamai-G2O-Auth-Data and X-Akamai-G2O-Auth-Sign headers specified by the g2oheader behavior.
http2_‚Äčrequires_‚ÄčsecureThe http2 behavior requires that the property is_‚Äčsecure.
includeallqsIf one cacheId behavior is set to INCLUDE_ALL_QUERY_PARAMS, there can't be another in the same rule that includes or excludes specific parameters.
includeqsIf one cacheId behavior is set to include a specific set of query parameters, there can't be another in the same rule that excludes others.
incompatible_‚ÄčoptsThe failAction behavior isn't compatible when the origin is set to EDGE_LOAD_BALANCING_ORIGIN_GROUP.
incompatible_‚ÄčoriginbasepathYou can't apply the rewriteUrl and baseDirectory behaviors to the same request.
incompatible_‚Äčppf_‚ÄčsiteshieldThe siteShield behavior is incompatible with predictivePrefetching.
incompatible_‚Äčwith_‚Äčany_‚ÄčconditionsYou can't specify allowCloudletsOrigins with any matching criteria.
incompatible_‚Äčwith_‚Äčany_‚ÄčfeaturesYou can't specify allowCloudletsOrigins along with any other behaviors. It must be alone in its own rule.
incompatible_‚Äčwith_‚ÄčnetstoragedeliveryReceipt isn't compatible when the origin is NET_STORAGE.
incompatibleesiYou may only enable akamaizer with edgeSideIncludes.
incompatibleredirectThe responseCode behavior may not work as expected along with redirect, because they use different status codes.
invalid_‚Äčorigincertstohonor_‚ÄčoptionsThe origin hostname is AWS and the verificationMode is CUSTOM, but the originCertsToHonor isn't set to STANDARD_CERTIFICATE_AUTHORITIES or COMBO.
ip_‚Äčaddress_‚ÄčoriginYou should specify your origin server as a hostname. IP addresses may be abruptly reassigned and negatively affect your service.
lfo_‚Äčwith_‚Äčtd_‚Äčch2A tieredDistribution whose tieredDistributionMap doesn't specify CH or CH2 can't be applied within a secure property along with a largeFileOptimization whose useVersioning is enabled.
logging_‚ÄčcookiesYou're using report to log values for cookies in responses identified as personallyIdentifiableInformation. Make sure the cookies aren't exposing sensitive information.
min_‚Äč24hr_‚Äčttl_‚ÄčrequiredAny rule that contains imageManager must also specify a caching behavior with a ttl of at least 1 day.
missing_‚Äčedge_‚Äčimage_‚ÄčconverterThe watermarkUrl behavior requires a corresponding edgeImageConversion in the same rule or in a child rule.
missing_‚Äčelb_‚ÄčoriginAn edgeLoadBalancingDataCenter requires an accompanying edgeLoadBalancingOrigin.
missing_‚ÄčoriginTo use simulateErrorCode for the ERR_NO_GOOD_FWD_IP error, healthDetection must be enabled.
mobile_‚Äč302_‚ÄčconflictMobile redirect only supports the 302 status code.
mobile_‚Äčdefault_‚ÄčconflictA mobile redirect can't be used in the same rule as a default redirect.
must_‚Äčbe_‚Äčin_‚Äčcloudlets_‚Äčorigin_‚ÄčgroupTo enable an origin of EDGE_LOAD_BALANCING_ORIGIN_GROUP, you also need to define a cloudletsOrigin rule.
need_‚Äčadditional_‚ÄčmatchThe prefetchable behavior needs to be enabled by a filename or fileExtension match.
need_‚Äčcustomer_‚ÄčoriginThe downgradeProtocol behavior is only allowed when the origin is set to CUSTOMER.
need_‚Äčdata_‚Äčcenter_‚ÄčdefinedTo enable the edgeLoadBalancingOrigin behavior's enableSessionPersistence option, you need to configure an edgeLoadBalancingDataCenter.
needs_‚ÄčakamaizerThe akamaizer behavior needs to be enabled for akamaizerTag to work.
needs_‚ÄčakamaizertagThere must be at least one akamaizerTag for akamaizer to work.
needs_‚Äčcontent_‚ÄčmatchThe edgeSideIncludes behavior may only be used in rules with matching criteria such as path, contentType, or filename.
needs_‚ÄčcontenttypeYou may only enable akamaizer within a contentType match.
netstorage_‚Äčhostname_‚ÄčwarningThe origin needs to be set to NET_STORAGE if the hostname is a subdomain of download.akamai.com, upload.akamai.com, or postfile.akamai.com.
no_‚Äčproperty_‚Äčhostname_‚ÄčcachekeyYou may not use instantConfig when the cacheKeyHostname of the origin is set to REQUEST_HOST_HEADER.
nonce_‚Äčsecret_‚Äčkey_‚ÄčwarningThe g2oheader behavior's nonce should be different than its secretKey.
not_‚ÄčcompatibleYou can't use verifyTokenAuthorization when segmentedContentProtection is enabled.
not_‚Äčvalidation_‚Äčhtml_‚ÄčwarningThe constructResponse response body should be valid XHTML.
notallow_‚ÄčextThe downgradeProtocol behavior can't be enabled by a fileExtension match.
notallow_‚ÄčfilenameThe downgradeProtocol behavior can't be enabled by a filename match.
notallow_‚ÄčprotocolThe downgradeProtocol behavior can't be enabled by a requestProtocol match.
objects_‚Äčcant_‚Äčexceed_‚Äč1mbObjects served with edgeSideIncludes may not be larger than 1MB.
origin_‚Äčacl_‚Äčmust_‚Äčbe_‚Äčupdated_‚ÄčmanuallyAn old origin version specifies a cachekeyhostname of requesthostheader.
origin_‚Äčacl_‚Äčmust_‚Äčbe_‚Äčupdated_‚Äčmanually_‚ÄčelbAn old origin version specifies an elb_‚Äčorigin_‚Äčgroup of type.
origin_‚Äčelb_‚Äčdefinition_‚ÄčwarningedgeLoadBalancingOrigin doesn't work unless the origin is set to EDGE_LOAD_BALANCING_ORIGIN_GROUP.
origin_‚Äčg2o_‚ÄčerrorYou shouldn't use the g2oheader behavior when the origin is set to NET_STORAGE.
origin_‚ÄčnetstorageThe origin can't be set to NET_STORAGE if segmentedMediaOptimization is set to stream LIVE.
performance_‚ÄčwarningThe akamaizer behavior isn't recommended for sites that routinely serve more than 100 hits per second.
prefetchThe instant behavior is a superset of prefetch, and they're mutually exclusive. Remove either behavior.
prefetching_‚Äčnever_‚ÄčenabledThe prefetchable behavior has no effect unless you apply prefetch to the page users access, and which contains links to the prefetchable objects.
prefetching_‚Äčwith_‚ÄčssThe siteShield behavior is incompatible with prefetching.
prune_‚Äčquery_‚ÄčwhennsA NET_STORAGE origin server ignores query parameters, so it's more efficient to disable the rewriteUrl behavior's keepQueryString option.
receiptdelivery_‚Äčrequires_‚Äčallow_‚ÄčpostApplying deliveryReceipt requires that you enable allowPost.
receiptdelivery_‚Äčrequires_‚Äčbypass_‚ÄčcacheApplying deliveryReceipt requires that you set caching to BYPASS_CACHE.
receiptdelivery_‚Äčrequires_‚ÄčsecuredeliveryReceipt requires that the property is_‚Äčsecure.
regex_‚Äčvalidation_‚ÄčnotsecureWhen siteShield is used in a non-secure property, the domain name of the ssmap must end with .akamai.net.
regex_‚Äčvalidation_‚ÄčsecureWhen siteShield is used in a secure property, the domain name of the ssmap must end with .akamaiedge.net.
regex_‚Äčvalidation_‚ÄčsurerouteThe sureRoute behavior's customMap must be a subdomain of akasrg.akamai.com.
requireakamaizerThe savePostDcaProcessing behavior doesn't work properly unless akamaizer is enabled.
required_‚Äčmdc_‚Äčfor_‚Äčsaas_‚ÄčcnameFor a behavior to specify a CNAME chain, the instantConfig behavior must also be enabled, or the property must be secure.
required_‚Äčnegative_‚ÄčcachingWhen your origin is set to NET_STORAGE, set the cacheError with a ttl of at least 30 seconds.
required_‚Äčthird_‚Äčparty_‚ÄčsetThe origin hostname is AWS, the verificationMode is set to CUSTOM, and originCertsToHonor is set to STANDARD_CERTIFICATE_AUTHORITIES or COMBO, but standardCertificateAuthorities doesn't include THIRD_PARTY_AMAZON.
requires_‚Äčcaching_‚ÄčenabledTo set the cache's ID, the caching behavior must be enabled.
requires_‚Äčextension_‚ÄčmatchThe imageManager behavior requires a fileExtension match.
requires_‚Äčhoit_‚ÄčmatchThe http2 and spdy behaviors can only be enabled within a hostname match.
requires_‚ÄčmfroThe randomSeek behavior works best when mediaFileRetrievalOptimization is enabled.
requires_‚ÄčnonsecureTo apply instantConfig requires a non-secure property.
requires_‚Äčorigin_‚Äčcacheley_‚Äčinc_‚ÄčhhYou can't use cacheKeyRewrite when the origin behavior's cacheKeyHostname is set to REQUEST_HOST_HEADER.
requires_‚Äčrequestmethod_‚ÄčmatchYou can only enable the webdav behavior when matching a requestMethod.
requirescachingWhen using cachePost, you should also use caching to define a caching strategy.
requirespostThe savePostDcaProcessing behavior requires either allowPost or cachePost to be enabled.
requirespostcachingThe savePostDcaProcessing behavior requires cachePost to be enabled.
responsecode_‚ÄčconflictThe response code defined in constructResponse and responseCode don't match.
saas_‚Äčorigin_‚Äčhostname_‚ÄčcnWhen using a SAAS_DYNAMIC_ORIGIN origin, you can't specify {{Origin Hostname}} in the customValidCnValues.
salt_‚ÄčdeprecatedThe verifyTokenAuthorization behavior's salt option will be removed in a future release, so you should remove it from your code.
scheduledinvalidationWhen the origin is NET_STORAGE, the scheduleInvalidation behavior's repeatInterval must be at least 5 minutes.
secret_‚Äčkey_‚ÄčwarningThe g2oheader behavior's secretKey must be at least 10 alphanumeric characters long.
spdy_‚Äčrequires_‚ÄčsecureThe spdy behavior requires that the property is_‚Äčsecure.
sr_‚Äčss_‚Äčmap_‚ÄčmismatchA sureRoute behavior specifies a type of CUSTOM_MAP, and the customMap doesn't match what's specified by siteShield.
sr_‚Äčwith_‚ÄčssWith siteShield enabled, the optimization type for sureRoute should be CUSTOM_MAP.
ss_‚ÄčincompatibleThe instant behavior is incompatible with siteShield.
ssl_‚Äčcustom_‚Äčwarning_‚Äčaux_‚ÄčlistIn an early version of the origin behavior, origin_‚Äčcert_‚Äčdelete is set to custom.
ssl_‚Äčcustom_‚Äčwarning_‚ÄčexpertDue to the security risk, Akamai strongly recommends you consult with your organization's security expert before configuring the origin SSL certificate verification settings. If you're the security expert and have any questions, contact your account team.
ssl_‚Äčcustom_‚Äčwarning_‚Äčtest_‚ÄčstagingIf you're changing your origin SSL certificate verification settings, to avoid a service outage Akamai strongly recommends testing on the staging network before activating on production.
ssl_‚Äčdelegate_‚Äčwarning_‚ÄčintroThe origin behavior has been enhanced to address the FOSSL exploit.
ssl_‚Äčdelegate_‚Äčwarning_‚ÄčrotateThe origin behavior has been enhanced to address the FOSSL exploit.
ssl_‚Äčwarn_‚ÄčwarningAn older origin version specifies a verificationMode of INSECURE.
subrules_‚Äčneed_‚ÄčconditionFor allowCloudletsOrigins to work, you need to nest at least one rule with a single cloudletsOrigin criteria.
suggest_‚ÄčedgeredirectorInstead of redirect, consider using the edgeRedirector Cloudlet, which allows non-IT staff to manage large numbers of redirects.
sureroute_‚ÄčrequiredWhen applying instant to content whose caching is NO_STORE, the content must also have sureRoute enabled or it isn't prefetched.
tcip_‚Äčallow_‚Äčclients_‚Äčto_‚Äčset_‚ÄčonThe origin is configured to allow clients to set the True-Client-IP header, meaning the IP value sent to the origin may not be the one the client used to connect to the edge server. While this may be useful for testing, it may allow users to bypass IP-based restrictions on your origin server.
tcpoptisdeprecatedThe tcpOptimization behavior is deprecated, and you should remove it.
td_‚Äčwith_‚Äčmodify_‚ÄčinplaceThe tieredDistribution behavior can't be enabled when the largeFileOptimization behavior's useVersioning is disabled.
td_‚Äčwith_‚ÄčssThe siteShield behavior is incompatible with tieredDistribution because both determine which Akamai servers connect directly to the origin.
third_‚Äčparty_‚ÄčverificationmodeSetting the origin's verificationMode to THIRD_PARTY is incompatible with the specified originType.
tiereddistribution_‚ÄčrequiredWhen applying instant to cacheable content, it must also have tieredDistribution enabled or it isn't prefetched.
unpurgeableEnabling a behavior within a specified criteria prevents Content Control Utility from purging by URL. Contact your Akamai representative for guidance.
urlrewrite_‚ÄčincompatibleWhen using removeQueryParameter, the rewriteUrl behavior's keepQueryString must also be enabled.
usebodyThe cachePost behavior specifies a useBody of MD5 or QUERY, but there's no accompanying cacheId.
warn_‚Äčnot_‚ÄčconnnectingipWhen setting denyAccess, disable the match's useOnlyFirstXForwardedForIp to prevent malicious end users from using X-Forwarded-For headers to bypass the policy.
warn_‚ÄčregexTest any regular expressions you specify in rewriteUrl on the staging network and contact your Akamai representative if you're uncertain how to use this option.
wildcard_‚Äčmatch_‚ÄčadvisedYou should enable limitBitRate with a filename, fileExtension, or path match.
with_‚Äčignore_‚ÄčcaseTo apply cacheKeyIgnoreCase, you need to lowercase the elements specified by an accompanying cacheId, otherwise they never match.
within_‚Äčcloudlets_‚Äčorigins_‚ÄčgroupThis Cloudlet behavior may not work as expected when added to the same rule that sets the cloudletsOrigin. Consider moving it to a different rule.

Other

These fallback errors may occur when modifying a rule tree:

TypeProblem
unknown_‚ÄčmessageUnknown rule tree validation error.
unknown_‚Äčvalidation_‚ÄčtypeUnknown value error.