From e0e49533ab57f8095f5731ab724db356150f4080 Mon Sep 17 00:00:00 2001 From: Romain Date: Tue, 9 Dec 2025 15:28:04 +0100 Subject: [PATCH] Clarify doc about encodedCharacters rejection --- docs/content/migration/v2.md | 3 +++ docs/content/routing/entrypoints.md | 7 ++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/content/migration/v2.md b/docs/content/migration/v2.md index ede92005e..a7fa96ffd 100644 --- a/docs/content/migration/v2.md +++ b/docs/content/migration/v2.md @@ -733,4 +733,7 @@ Here is the list of the encoded characters that are rejected by default, along w | `%3f` or `%3F` | `?` (question mark) | `entryPoints..`
`.http.encodedCharacters`
`.allowEncodedQuestionMark` | | `%23` | `#` (hash) | `entryPoints..`
`.http.encodedCharacters`
`.allowEncodedHash` | +Note: This check is not done against query parameters, +but only against the request path as defined in [RFC3986 section-3](https://datatracker.ietf.org/doc/html/rfc3986#section-3). + Please check out the entrypoint [encodedCharacters option](../routing/entrypoints.md#encoded-characters) documentation for more details. diff --git a/docs/content/routing/entrypoints.md b/docs/content/routing/entrypoints.md index 908fb08f0..253d19100 100644 --- a/docs/content/routing/entrypoints.md +++ b/docs/content/routing/entrypoints.md @@ -1021,7 +1021,12 @@ entryPoints: ### Encoded Characters You can configure Traefik to control the handling of encoded characters in request paths for security purposes. -By default, Traefik rejects requests containing certain encoded characters that could be used in path traversal or other security attacks. +By default, Traefik rejects requests with path containing certain encoded characters that could be used in path traversal or other security attacks. + +!!! info + + This check is not done against the request query parameters, + but only against the request path as defined in [RFC3986 section-3](https://datatracker.ietf.org/doc/html/rfc3986#section-3). !!! warning "Security Considerations"