Version: v2025-01-13Includes use: Yes

Behavior name: Signature Header Authentication

The signature header authentication (g2o) security feature provides header-based verification of outgoing origin requests. Edge servers encrypt request data in a pre-defined header, which the origin uses to verify that the edge server processed the request. This behavior configures the request data, header names, encryption algorithm, and shared secret to use for verification.

Default behavior

These samples reflect the behavior's default settings. You can use these as is in your configurations or make adjustments based on the behavior's available options.

data "akamai_property_rules_builder" "g20_header" {
  rules_v2025_02_18 {
    name     = "Signature Header Authentication"
    comments = "Provides header-based verification of outgoing origin requests."
    behavior {
      g20_header {
        enabled                = true
        data_header            = "X-Akamai-G2O-Auth-Data"
        signed_header          = "X-Akamai-G2O-Auth-Sign"
        encoding_version       = 5
        use_custom_sign_string = false
        secretKey              = ""
        nonce                  = ""
      }
    }
  }
}
"behaviors": [
  {
  "name": "g2oheader",
  "options": {
    "enabled": true,
    "dataHeader": "X-Akamai-G2O-Auth-Data",
    "signedHeader": "X-Akamai-G2O-Auth-Sign",
    "encodingVersion": 5,
    "useCustomSignString": false,
    "secretKey": "",
    "nonce": ""
    }
  }
]

Options

Option Description
enabled
Enables the g2o verification behavior.
data_header
Specifies the name of the header that contains the request data that needs to be encrypted.
signed_header
Specifies the name of the header containing encrypted request data.
encoding_version
Specifies the version of the encryption algorithm as an integer. Value range is 1-5.
use_custom_sign_string
When disabled, the encrypted string is based on the forwarded URL. If enabled, you can use custom_sign_string to customize the set of data to encrypt.
custom_sign_string
Specifies the set of data to be encrypted as a combination of concatenated strings. Possible values are:
  • AK_METHOD. Incoming request method.
  • AK_SCHEME. Incoming request scheme (HTTP or HTTPS).
  • AK_HOSTHEADER. Incoming request hostname.
  • AK_DOMAIN. Incoming request domain.
  • AK_URL. Incoming request URL.
  • AK_PATH. Incoming request path.
  • AK_QUERY. Incoming request query string.
  • AK_FILENAME. Incoming request filename.
  • AK_EXTENSION. Incoming request filename extension.
  • AK_CLIENT_REAL_IP. Incoming client IP.
secret_key
Specifies the shared secret key.
nonce
Specifies the cryptographic nonce string.