mirrors/traefik
1
0
Fork 0
mirror of https://github.com/traefik/traefik.git synced 2025-12-06 01:51:16 +01:00
Code Issues Projects Releases Wiki Activity
traefik/docs/content/security/request-path.md
kevinpollet 61ad0f13e8
Merge branch v2.11 into v3.6
2025-12-04 16:25:18 +01:00

5.1 KiB
Raw Blame History

title, description
title description
Request Path Learn how Traefik processes and secures request paths through sanitization and encoded character filtering to protect against path traversal and injection attacks.

Request Path

Protecting Against Path-Based Attacks Through Sanitization and Filtering {: .subtitle }

Traefik implements multiple layers of security when processing incoming request paths. This includes path sanitization to normalize potentially dangerous sequences and encoded character filtering to prevent attack vectors that use URL encoding. Understanding how Traefik handles request paths is crucial for maintaining a secure routing infrastructure.

How Traefik Processes Request Paths

When Traefik receives an HTTP request, it processes the request path through several security-focused stages:

1. Encoded Character Filtering

Traefik inspects the path for potentially dangerous encoded characters and rejects requests containing them unless explicitly allowed.

Here is the list of the encoded characters that are rejected by default:

Encoded Character Character
%2f or %2F / (slash)
%5c or %5C \ (backslash)
%00 NULL (null character)
%3b or %3B ; (semicolon)
%25 % (percent)
%3f or %3F ? (question mark)
%23 # (hash)

2. Path Normalization

Traefik normalizes the request path by decoding the unreserved percent-encoded characters, as they are equivalent to their non-encoded form (according to rfc3986#section-2.3), and capitalizing the percent-encoded characters (according to rfc3986#section-6.2.2.1).

3. Path Sanitization

Traefik sanitizes request paths to prevent common attack vectors, by removing the .., . and duplicate slash segments from the URL (according to rfc3986#section-6.2.2.3).

Path Security Configuration

Traefik provides two main mechanisms for path security that work together to protect your applications.

Path Sanitization

Path sanitization is enabled by default and helps prevent directory traversal attacks by normalizing request paths. Configure it in the EntryPoints HTTP section:

entryPoints:
  websecure:
    address: ":443"
    http:
      sanitizePath: true  # Default: true (recommended)

[entryPoints.websecure]
  address = ":443"

  [entryPoints.websecure.http]
    sanitizePath = true

--entryPoints.websecure.address=:443
--entryPoints.websecure.http.sanitizePath=true

Sanitization behavior:

  • ./foo/bar/foo/bar (removes relative current directory)
  • /foo/../bar/bar (resolves parent directory traversal)
  • /foo/bar///foo/bar/ (removes duplicate slashes)
  • /./foo/../bar///bar/ (combines all normalizations)

Encoded Character Filtering

Encoded character filtering provides an additional security layer by rejecting potentially dangerous URL-encoded characters. Configure it in the EntryPoints HTTP section.

This filtering occurs before path sanitization and catches attack attempts that use encoding to bypass other security controls.

All encoded character filtering is enabled by default (false means encoded characters are rejected), providing maximum security:

entryPoints:
  websecure:
    address: ":443"
    encodedCharacters:
      allowEncodedSlash: false          # %2F - Default: false (RECOMMENDED)
      allowEncodedBackSlash: false      # %5C - Default: false (RECOMMENDED)
      allowEncodedNullCharacter: false  # %00 - Default: false (RECOMMENDED)
      allowEncodedSemicolon: false      # %3B - Default: false (RECOMMENDED)
      allowEncodedPercent: false        # %25 - Default: false (RECOMMENDED)
      allowEncodedQuestionMark: false   # %3F - Default: false (RECOMMENDED)
      allowEncodedHash: false           # %23 - Default: false (RECOMMENDED)

[entryPoints.websecure]
  address = ":443"

  [entryPoints.websecure.encodedCharacters]
    allowEncodedSlash = false
    allowEncodedBackSlash = false
    allowEncodedNullCharacter = false
    allowEncodedSemicolon = false
    allowEncodedPercent = false
    allowEncodedQuestionMark = false
    allowEncodedHash = false

--entryPoints.websecure.address=:443
--entryPoints.websecure.encodedCharacters.allowEncodedSlash=false
--entryPoints.websecure.encodedCharacters.allowEncodedBackSlash=false
--entryPoints.websecure.encodedCharacters.allowEncodedNullCharacter=false
--entryPoints.websecure.encodedCharacters.allowEncodedSemicolon=false
--entryPoints.websecure.encodedCharacters.allowEncodedPercent=false
--entryPoints.websecure.encodedCharacters.allowEncodedQuestionMark=false
--entryPoints.websecure.encodedCharacters.allowEncodedHash=false