diff --git a/include/haproxy/global.h b/include/haproxy/global.h
index fb7b62b6c..c69955c81 100644
--- a/include/haproxy/global.h
+++ b/include/haproxy/global.h
@@ -99,6 +99,7 @@ static inline unsigned long thread_mask(unsigned long mask)
 /* handle 'tainted' status */
 enum tainted_flags {
 	TAINTED_CONFIG_EXP_KW_DECLARED = 0x1,
+	TAINTED_ACTION_EXP_EXECUTED    = 0x2,
 };
 void mark_tainted(const enum tainted_flags flag);
 unsigned int get_tainted();
diff --git a/src/http_ana.c b/src/http_ana.c
index b35664645..a3618b904 100644
--- a/src/http_ana.c
+++ b/src/http_ana.c
@@ -16,6 +16,7 @@
 #include <haproxy/backend.h>
 #include <haproxy/base64.h>
 #include <haproxy/capture-t.h>
+#include <haproxy/cfgparse.h>
 #include <haproxy/channel.h>
 #include <haproxy/check.h>
 #include <haproxy/connection.h>
@@ -2798,6 +2799,9 @@ static enum rule_result http_req_get_intercept_rule(struct proxy *px, struct lis
 
 		act_opts |= ACT_OPT_FIRST;
   resume_execution:
+		if (rule->kw->flags & KWF_EXPERIMENTAL)
+			mark_tainted(TAINTED_ACTION_EXP_EXECUTED);
+
 		/* Always call the action function if defined */
 		if (rule->action_ptr) {
 			if ((s->req.flags & CF_READ_ERROR) ||
@@ -2943,6 +2947,8 @@ static enum rule_result http_res_get_intercept_rule(struct proxy *px, struct lis
 
 		act_opts |= ACT_OPT_FIRST;
 resume_execution:
+		if (rule->kw->flags & KWF_EXPERIMENTAL)
+			mark_tainted(TAINTED_ACTION_EXP_EXECUTED);
 
 		/* Always call the action function if defined */
 		if (rule->action_ptr) {
diff --git a/src/http_rules.c b/src/http_rules.c
index a34c56095..54fa0e9f0 100644
--- a/src/http_rules.c
+++ b/src/http_rules.c
@@ -92,6 +92,16 @@ struct act_rule *parse_http_req_cond(const char **args, const char *file, int li
 		cur_arg = 1;
 		/* try in the module list */
 		rule->kw = custom;
+
+		if (custom->flags & KWF_EXPERIMENTAL) {
+			if (!experimental_directives_allowed) {
+				ha_alert("parsing [%s:%d] : '%s' action is experimental, must be allowed via a global 'expose-experimental-directives'\n",
+				         file, linenum, custom->kw);
+				goto out_err;
+			}
+			mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED);
+		}
+
 		if (custom->parse(args, &cur_arg, proxy, rule, &errmsg) == ACT_RET_PRS_ERR) {
 			ha_alert("parsing [%s:%d] : error detected in %s '%s' while parsing 'http-request %s' rule : %s.\n",
 				 file, linenum, proxy_type_str(proxy), proxy->id, args[0], errmsg);
@@ -161,6 +171,16 @@ struct act_rule *parse_http_res_cond(const char **args, const char *file, int li
 		cur_arg = 1;
 		/* try in the module list */
 		rule->kw = custom;
+
+		if (custom->flags & KWF_EXPERIMENTAL) {
+			if (!experimental_directives_allowed) {
+				ha_alert("parsing [%s:%d] : '%s' action is experimental, must be allowed via a global 'expose-experimental-directives'\n",
+				         file, linenum, custom->kw);
+				goto out_err;
+			}
+			mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED);
+		}
+
 		if (custom->parse(args, &cur_arg, proxy, rule, &errmsg) == ACT_RET_PRS_ERR) {
 			ha_alert("parsing [%s:%d] : error detected in %s '%s' while parsing 'http-response %s' rule : %s.\n",
 				 file, linenum, proxy_type_str(proxy), proxy->id, args[0], errmsg);