Request Path¶
Protecting Against Path-Based Attacks Through Sanitization and Filtering
Traefik implements multiple layers of security when processing incoming request paths. This includes path sanitization to normalize potentially dangerous sequences and encoded character filtering to prevent attack vectors that use URL encoding. Understanding how Traefik handles request paths is crucial for maintaining a secure routing infrastructure.
How Traefik Processes Request Paths¶
When Traefik receives an HTTP request, it processes the request path through several security-focused stages:
1. Encoded Character Filtering¶
Traefik inspects the path for potentially dangerous encoded characters and rejects requests containing them unless explicitly allowed.
Here is the list of the encoded characters that are rejected by default:
| Encoded Character | Character |
|---|---|
%2f or %2F |
/ (slash) |
%5c or %5C |
\ (backslash) |
%00 |
NULL (null character) |
%3b or %3B |
; (semicolon) |
%25 |
% (percent) |
%3f or %3F |
? (question mark) |
%23 |
# (hash) |
2. Path Normalization¶
Traefik normalizes the request path by decoding the unreserved percent-encoded characters, as they are equivalent to their non-encoded form (according to rfc3986#section-2.3), and capitalizing the percent-encoded characters (according to rfc3986#section-6.2.2.1).
3. Path Sanitization¶
Traefik sanitizes request paths to prevent common attack vectors,
by removing the .., . and duplicate slash segments from the URL (according to rfc3986#section-6.2.2.3).
Path Security Configuration¶
Traefik provides two main mechanisms for path security that work together to protect your applications.
Path Sanitization¶
Path sanitization is enabled by default and helps prevent directory traversal attacks by normalizing request paths. Configure it in the EntryPoints HTTP section:
entryPoints:
websecure:
address: ":443"
http:
sanitizePath: true # Default: true (recommended)[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http]
sanitizePath = true--entryPoints.websecure.address=:443
--entryPoints.websecure.http.sanitizePath=trueSanitization behavior:
./foo/bar→/foo/bar(removes relative current directory)/foo/../bar→/bar(resolves parent directory traversal)/foo/bar//→/foo/bar/(removes duplicate slashes)/./foo/../bar//→/bar/(combines all normalizations)
Encoded Character Filtering¶
Encoded character filtering provides an additional security layer by rejecting potentially dangerous URL-encoded characters. Configure it in the EntryPoints HTTP section.
This filtering occurs before path sanitization and catches attack attempts that use encoding to bypass other security controls.
All encoded character filtering is enabled by default (false means encoded characters are rejected), providing maximum security:
entryPoints:
websecure:
address: ":443"
encodedCharacters:
allowEncodedSlash: false # %2F - Default: false (RECOMMENDED)
allowEncodedBackSlash: false # %5C - Default: false (RECOMMENDED)
allowEncodedNullCharacter: false # %00 - Default: false (RECOMMENDED)
allowEncodedSemicolon: false # %3B - Default: false (RECOMMENDED)
allowEncodedPercent: false # %25 - Default: false (RECOMMENDED)
allowEncodedQuestionMark: false # %3F - Default: false (RECOMMENDED)
allowEncodedHash: false # %23 - Default: false (RECOMMENDED)[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.encodedCharacters]
allowEncodedSlash = false
allowEncodedBackSlash = false
allowEncodedNullCharacter = false
allowEncodedSemicolon = false
allowEncodedPercent = false
allowEncodedQuestionMark = false
allowEncodedHash = false--entryPoints.websecure.address=:443
--entryPoints.websecure.encodedCharacters.allowEncodedSlash=false
--entryPoints.websecure.encodedCharacters.allowEncodedBackSlash=false
--entryPoints.websecure.encodedCharacters.allowEncodedNullCharacter=false
--entryPoints.websecure.encodedCharacters.allowEncodedSemicolon=false
--entryPoints.websecure.encodedCharacters.allowEncodedPercent=false
--entryPoints.websecure.encodedCharacters.allowEncodedQuestionMark=false
--entryPoints.websecure.encodedCharacters.allowEncodedHash=false