SAP Knowledge Base Article - Public

3345730 - Changes related to non-RFC compliant headers - SAP SuccessFactors

Symptom

Starting June 2023, Akamai will automatically deny requests, that have non-RFC compliant headers, across the SuccessFactors platform.

Environment

SAP SuccessFactors HXM Suite

Cause

Currently, Akamai Edge servers allow certain invalid HTTP headers to pass through, treating them as custom headers. This is necessary to support large volumes of legitimate traffic flows and origin applications that rely on invalid headers to function correctly. However, this could sometimes lead to unexpected interactions between Akamai and origin servers, depending on the origin’s request processing behavior.

 

Here are the special characters that result in a non-RFC compliant header name (Please refer to RFC 9110 for full details):

"(" or ")" or "<" or ">" or "@" or "," or ";" or ":" or "\" or "<" or ">" or "/" or "[" or "]" or "?" or "=" or "{" or "}"

When the platform change goes live, requests to SuccessFactors domains that do not meet RFC compliant header specifications will be denied.

 

Resolution

This not expected to impact customers using SuccessFactors, since there would be no legitimate reason why browsers or API clients would be sending HTTP request headers with the invalid characters.

Only scenarios where this might be foreseen to happen are penetration testing attempts that are deliberately sending requests with invalid characters in the HTTP header. And if so, rejecting such invalid HTTP requests would be the ideal thing to do from a security perspective.

Keywords

KBA , LOD-SF-PLT , Platform Foundational Capabilities , LOD-SF-EC , Employee Central , LOD-SF-INT , Integrations , LOD-SF-RCM , Recruiting Management , LOD-SF-OBD , Onboarding , LOD-SF-PM , Performance Management , Product Enhancement

Product

SAP SuccessFactors HXM Suite 2305