.. _envoy_v3_api_file_envoy/extensions/http/header_validators/envoy_default/v3/header_validator.proto: Envoy's default Header Validator config (proto) =============================================== .. _envoy_v3_api_msg_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig: extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig ------------------------------------------------------------------------ :repo:`[extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig proto] ` This extension validates that HTTP request and response headers are well formed according to respective RFCs. The validator performs comprehensive HTTP header validation including: #. HTTP/1 header map validity according to `RFC 7230 section 3.2 `_. #. Syntax of HTTP/1 request target URI and response status. #. HTTP/2 header map validity according to `RFC 7540 section 8.1.2 `_. #. Syntax of HTTP/2 pseudo headers. #. HTTP/3 header map validity according to `RFC 9114 section 4.3 `_. #. Syntax of HTTP/3 pseudo headers. #. Syntax of Content-Length and Transfer-Encoding. #. Validation of HTTP/1 requests with both ``Content-Length`` and ``Transfer-Encoding`` headers. #. Normalization of the URI path according to `Normalization and Comparison `_ without `case normalization `_. This validator ensures that HTTP traffic processed by Envoy conforms to established standards and helps prevent issues caused by malformed headers or invalid HTTP syntax. .. code-block:: json :force: { "http1_protocol_options": {...}, "uri_path_normalization_options": {...}, "restrict_http_methods": ..., "headers_with_underscores_action": ..., "strip_fragment_from_path": ... } .. _envoy_v3_api_field_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.http1_protocol_options: http1_protocol_options (:ref:`extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.Http1ProtocolOptions `) HTTP/1 protocol specific options. These settings control HTTP/1 specific validation behaviors. .. _envoy_v3_api_field_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.uri_path_normalization_options: uri_path_normalization_options (:ref:`extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions `) The URI path normalization options. By default Envoy normalizes URI path using the default values of the :ref:`UriPathNormalizationOptions `. URI path transformations specified by the ``uri_path_normalization_options`` configuration can be applied to a portion of requests by setting the ``envoy_default_header_validator.uri_path_transformations`` runtime value. .. attention:: Disabling path normalization may lead to path confusion vulnerabilities in access control or incorrect service selection. .. _envoy_v3_api_field_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.restrict_http_methods: restrict_http_methods (`bool `_) Restrict HTTP methods to these defined in the `RFC 7231 section 4.1 `_. Envoy will respond with 400 to requests with disallowed methods. By default methods with arbitrary names are accepted. This setting helps enforce HTTP compliance and can prevent attacks that rely on non-standard HTTP methods. .. _envoy_v3_api_field_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.headers_with_underscores_action: headers_with_underscores_action (:ref:`extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.HeadersWithUnderscoresAction `) Action to take when a client request with a header name containing underscore characters is received. If this setting is not specified, the value defaults to ``ALLOW``. This setting provides security control over headers with underscores, which can be a source of security issues when different systems interpret underscores and hyphens differently. .. _envoy_v3_api_field_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.strip_fragment_from_path: strip_fragment_from_path (`bool `_) Allow requests with fragment in URL path and strip the fragment before request processing. By default Envoy rejects requests with fragment in URL path. When this option is enabled, the fragment portion (everything after ``#``) will be removed from the path before further processing. Fragments are typically used by client-side applications and should not normally be sent to the server, so stripping them can help normalize requests. .. _envoy_v3_api_msg_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions: extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions ---------------------------------------------------------------------------------------------------- :repo:`[extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions proto] ` Configuration options for URI path normalization and transformation. These options control how Envoy processes and normalizes incoming request URI paths to ensure consistent behavior and security. Path normalization helps prevent path traversal attacks and ensures that equivalent paths are handled consistently. .. code-block:: json :force: { "skip_path_normalization": ..., "skip_merging_slashes": ..., "path_with_escaped_slashes_action": ... } .. _envoy_v3_api_field_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions.skip_path_normalization: skip_path_normalization (`bool `_) Should paths be normalized according to RFC 3986? This operation overwrites the original request URI path and the new path is used for processing of the request by HTTP filters and proxied to the upstream service. Envoy will respond with 400 to requests with malformed paths that fail path normalization. The default behavior is to normalize the path. This value may be overridden by the runtime variable :ref:`http_connection_manager.normalize_path`. See `Normalization and Comparison `_ for details of normalization. .. note:: Envoy does not perform `case normalization `_. URI path normalization can be applied to a portion of requests by setting the ``envoy_default_header_validator.path_normalization`` runtime value. .. _envoy_v3_api_field_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions.skip_merging_slashes: skip_merging_slashes (`bool `_) Determines if adjacent slashes in the path are merged into one. This operation overwrites the original request URI path and the new path is used for processing of the request by HTTP filters and proxied to the upstream service. Setting this option to ``true`` will cause incoming requests with path ``//dir///file`` to not match against route with ``prefix`` match set to ``/dir``. Defaults to ``false``. .. note:: Slash merging is not part of the `HTTP spec `_ and is provided for convenience. Merging of slashes in URI path can be applied to a portion of requests by setting the ``envoy_default_header_validator.merge_slashes`` runtime value. .. _envoy_v3_api_field_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions.path_with_escaped_slashes_action: path_with_escaped_slashes_action (:ref:`extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions.PathWithEscapedSlashesAction `) The action to take when request URL path contains escaped slash sequences (``%2F``, ``%2f``, ``%5C`` and ``%5c``). This operation may overwrite the original request URI path and the new path is used for processing of the request by HTTP filters and proxied to the upstream service. The handling of escaped slashes is important for security as these sequences can be used in path confusion attacks to bypass access controls. .. _envoy_v3_api_enum_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions.PathWithEscapedSlashesAction: Enum extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions.PathWithEscapedSlashesAction -------------------------------------------------------------------------------------------------------------------------------------- :repo:`[extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions.PathWithEscapedSlashesAction proto] ` Determines the action for requests that contain ``%2F``, ``%2f``, ``%5C`` or ``%5c`` sequences in the URI path. This operation occurs before URL normalization and the merge slashes transformations if they were enabled. Escaped slash sequences in URLs can be used for path confusion attacks, so proper handling is important for security. .. _envoy_v3_api_enum_value_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions.PathWithEscapedSlashesAction.IMPLEMENTATION_SPECIFIC_DEFAULT: IMPLEMENTATION_SPECIFIC_DEFAULT *(DEFAULT)* ⁣Default behavior specific to implementation (i.e. Envoy) of this configuration option. Envoy, by default, takes the ``KEEP_UNCHANGED`` action. .. note:: The implementation may change the default behavior at-will. .. _envoy_v3_api_enum_value_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions.PathWithEscapedSlashesAction.KEEP_UNCHANGED: KEEP_UNCHANGED ⁣Keep escaped slashes unchanged in the URI path. This preserves the original request path without any modifications to escaped sequences. .. _envoy_v3_api_enum_value_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions.PathWithEscapedSlashesAction.REJECT_REQUEST: REJECT_REQUEST ⁣Reject client request with the 400 status. gRPC requests will be rejected with the ``INTERNAL`` (13) error code. The :ref:`httpN.downstream_rq_failed_path_normalization ` counter is incremented for each rejected request. This is the safest option when security is a primary concern, as it prevents any potential path confusion attacks by rejecting requests with escaped slashes entirely. .. _envoy_v3_api_enum_value_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions.PathWithEscapedSlashesAction.UNESCAPE_AND_REDIRECT: UNESCAPE_AND_REDIRECT ⁣Unescape ``%2F`` and ``%5C`` sequences and redirect the request to the new path if these sequences were present. The redirect occurs after path normalization and merge slashes transformations if they were configured. .. note:: gRPC requests will be rejected with the ``INTERNAL`` (13) error code. This option minimizes possibility of path confusion exploits by forcing request with unescaped slashes to traverse all parties: downstream client, intermediate proxies, Envoy and upstream server. The :ref:`httpN.downstream_rq_redirected_with_normalized_path ` counter is incremented for each redirected request. .. _envoy_v3_api_enum_value_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions.PathWithEscapedSlashesAction.UNESCAPE_AND_FORWARD: UNESCAPE_AND_FORWARD ⁣Unescape ``%2F`` and ``%5C`` sequences. .. attention:: This option should not be enabled if intermediaries perform path based access control as it may lead to path confusion vulnerabilities. .. _envoy_v3_api_msg_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.Http1ProtocolOptions: extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.Http1ProtocolOptions --------------------------------------------------------------------------------------------- :repo:`[extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.Http1ProtocolOptions proto] ` HTTP/1 protocol specific options for header validation. These options control how Envoy handles HTTP/1 specific behaviors and edge cases that may not apply to HTTP/2 or HTTP/3 protocols. .. code-block:: json :force: { "allow_chunked_length": ... } .. _envoy_v3_api_field_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.Http1ProtocolOptions.allow_chunked_length: allow_chunked_length (`bool `_) Allows Envoy to process HTTP/1 requests/responses with both ``Content-Length`` and ``Transfer-Encoding`` headers set. By default such messages are rejected, but if option is enabled - Envoy will remove the ``Content-Length`` header and process the message. See `RFC7230, sec. 3.3.3 `_ for details. .. attention:: Enabling this option might lead to request smuggling vulnerabilities, especially if traffic is proxied via multiple layers of proxies. .. _envoy_v3_api_enum_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.HeadersWithUnderscoresAction: Enum extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.HeadersWithUnderscoresAction ---------------------------------------------------------------------------------------------------------- :repo:`[extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.HeadersWithUnderscoresAction proto] ` Action to take when Envoy receives client request with header names containing underscore characters. Underscore character is allowed in header names by RFC-7230, and this behavior is implemented as a security measure due to systems that treat ``_`` and ``-`` as interchangeable. Envoy by default allows client request headers with underscore characters. This setting provides control over how to handle such headers for security and compatibility reasons. .. _envoy_v3_api_enum_value_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.HeadersWithUnderscoresAction.ALLOW: ALLOW *(DEFAULT)* ⁣Allow headers with underscores. This is the default behavior. .. _envoy_v3_api_enum_value_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.HeadersWithUnderscoresAction.REJECT_REQUEST: REJECT_REQUEST ⁣Reject client request. HTTP/1 requests are rejected with the 400 status. HTTP/2 requests end with the stream reset. The :ref:`httpN.requests_rejected_with_underscores_in_headers ` counter is incremented for each rejected request. .. _envoy_v3_api_enum_value_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.HeadersWithUnderscoresAction.DROP_HEADER: DROP_HEADER ⁣Drop the client header with name containing underscores. The header is dropped before the filter chain is invoked and as such filters will not see dropped headers. The :ref:`httpN.dropped_headers_with_underscores ` is incremented for each dropped header.