/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PublicSymptom
Starting June 2023, Akamai will automatically deny requests, that have non-RFC compliant headers, across the SuccessFactors platform.
Environment
SAP SuccessFactors HCM Suite
Cause
Currently, Akamai Edge servers allow certain invalid HTTP headers to pass through, treating them as custom headers. This is necessary to support large volumes of legitimate traffic flows and origin applications that rely on invalid headers to function correctly. However, this could sometimes lead to unexpected interactions between Akamai and origin servers, depending on the origin’s request processing behavior.
Here are the special characters that result in a non-RFC compliant header name (Please refer to RFC 9110 for full details):
"(" or ")" or "<" or ">" or "@" or "," or ";" or ":" or "\" or "<" or ">" or "/" or "[" or "]" or "?" or "=" or "{" or "}"
When the platform change goes live, requests to SuccessFactors domains that do not meet RFC compliant header specifications will be denied.
Resolution
This not expected to impact customers using SuccessFactors, since there would be no legitimate reason why browsers or API clients would be sending HTTP request headers with the invalid characters.
Only scenarios where this might be foreseen to happen are penetration testing attempts that are deliberately sending requests with invalid characters in the HTTP header. And if so, rejecting such invalid HTTP requests would be the ideal thing to do from a security perspective.
Keywords
KBA , LOD-SF-PLT , Platform Foundational Capabilities , LOD-SF-EC , Employee Central , LOD-SF-INT , Integrations , LOD-SF-RCM , Recruiting Management , LOD-SF-OBD , Onboarding , LOD-SF-PM , Performance Management , Product Enhancement
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)