strict_​header_​parsing

Behavior name: Strict Header Parsing

This behavior specifies how the edge servers should handle requests containing improperly formatted or invalid headers that don’t comply with RFC 9110.

Some clients may send invalid or incorrectly-formatted, non-RFC-compliant request headers. If such requests reach the origin server, this vulnerability can be exploited by a “bad actor”, for example to poison your cache and cause invalid content to be returned to your end users. Use Strict Header Parsing to tell the edge servers what requests to reject, independently of the Akamai platform's default behavior. Therefore, you may either get the protection earlier than the global customer base or defer changes to a later time, though not recommended.

Note: The two modes are independent. Each of them concerns a different issue with the request headers. For both options, a warning is written to the edge server logs whether the option is enabled or disabled.

As Akamai strives to be fully RFC-compliant, you should enable both options as best practice.

Enabling both options ensures that Akamai edge servers reject requests with invalid headers and don’t forward them to your origin. In such cases, the end user receives a 400 Bad Request HTTP response code.

Default behavior

These samples reflect the behavior's default settings. You can use these as is in your configurations or make adjustments based on the behavior's available options.

data "akamai_property_rules_builder" "strict_header_parsing" {
  rules_v2025_02_18 {
    name     = "Strict Header Parsing"
    comments = "Specifies how the edge servers should handle requests containing improperly formatted or invalid headers that don’t comply with RFC 9110."
    behavior {
      strict_header_parsing {
        valid_mode  = true
        strict_mode = true
      }
    }
  }
}

"behaviors": [
  {
    "name": "strictHeaderParsing",
    "options": {
      "validMode": true,
      "strictMode": true
    }
  }
]

Options