g2oheader

Suggest Edits

Version: `v2025-01-13`	Includes use: Yes

Behavior name: Signature Header Authentication

The signature header authentication (g2o) security feature provides header-based verification of outgoing origin requests. Edge servers encrypt request data in a pre-defined header, which the origin uses to verify that the edge server processed the request. This behavior configures the request data, header names, encryption algorithm, and shared secret to use for verification.

Default behavior

These samples reflect the behavior's default settings. You can use these as is in your configurations or make adjustments based on the behavior's available options.

data "akamai_property_rules_builder" "g20_header" {
  rules_v2025_02_18 {
    name     = "Signature Header Authentication"
    comments = "Provides header-based verification of outgoing origin requests."
    behavior {
      g20_header {
        enabled                = true
        data_header            = "X-Akamai-G2O-Auth-Data"
        signed_header          = "X-Akamai-G2O-Auth-Sign"
        encoding_version       = 5
        use_custom_sign_string = false
        secretKey              = ""
        nonce                  = ""
      }
    }
  }
}

"behaviors": [
  {
  "name": "g2oheader",
  "options": {
    "enabled": true,
    "dataHeader": "X-Akamai-G2O-Auth-Data",
    "signedHeader": "X-Akamai-G2O-Auth-Sign",
    "encodingVersion": 5,
    "useCustomSignString": false,
    "secretKey": "",
    "nonce": ""
    }
  }
]

Options

Option	Description
`enabled`	Boolean Enables the g2o verification behavior.
`data_header`	String Specifies the name of the header that contains the request data that needs to be encrypted.
`signed_header`	String Specifies the name of the header containing encrypted request data.
`encoding_version`	Enum Specifies the version of the encryption algorithm as an integer. Value range is `1`-`5`.
`use_custom_sign_string`	Boolean When disabled, the encrypted string is based on the forwarded URL. If enabled, you can use `custom_sign_string` to customize the set of data to encrypt.
`custom_sign_string`	String array \| Requires: `use_custom_string_string` is `true` Specifies the set of data to be encrypted as a combination of concatenated strings. Possible values are: `AK_METHOD`. Incoming request method. `AK_SCHEME`. Incoming request scheme (HTTP or HTTPS). `AK_HOSTHEADER`. Incoming request hostname. `AK_DOMAIN`. Incoming request domain. `AK_URL`. Incoming request URL. `AK_PATH`. Incoming request path. `AK_QUERY`. Incoming request query string. `AK_FILENAME`. Incoming request filename. `AK_EXTENSION`. Incoming request filename extension. `AK_CLIENT_REAL_IP`. Incoming client IP.
`secret_key`	Object array Specifies the shared secret key.
`nonce`	String Specifies the cryptographic nonce string.

Updated about 1 hour ago