diff --git a/src/h3.c b/src/h3.c
index 95a8303af..17d1b2668 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -419,6 +419,7 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
 	int hdr_idx, ret;
 	int cookie = -1, last_cookie = -1, i;
 	const char *ctl;
+	int relaxed = !!(h3c->qcc->proxy->options2 & PR_O2_REQBUG_OK);
 
 	/* RFC 9114 4.1.2. Malformed Requests and Responses
 	 *
@@ -520,6 +521,20 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
 				len = -1;
 				goto out;
 			}
+
+			if (!relaxed) {
+				/* we need to reject any control chars or '#' from the path,
+				 * unless option accept-invalid-http-request is set.
+				 */
+				ctl = ist_find_range(list[hdr_idx].v, 0, '#');
+				if (unlikely(ctl) && http_path_has_forbidden_char(list[hdr_idx].v, ctl)) {
+					TRACE_ERROR("forbidden character in ':path' pseudo-header", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
+					h3s->err = H3_MESSAGE_ERROR;
+					len = -1;
+					goto out;
+				}
+			}
+
 			path = list[hdr_idx].v;
 		}
 		else if (isteq(list[hdr_idx].n, ist(":scheme"))) {