Authorization Policy Normalization

This page describes all the supported normalizations in the authorization policy. The normalized request will be used for both the evaluation of authorization policies and the request that is ultimately sent to the backend server.

For more information, please refer to authorization normalization best practices.

This applies to the paths field and the notPaths field.

1. Single percent-encoded character (%HH)

Istio will normalize the single percent-encoded character as follows (normalization happens only once, no double decoding):

Percent-Encoded Character (case insensitive)Normalized ResultNoteEnable
%00N/AThe request will always be rejected with HTTP code 400N/A
%2d-(dash)Enabled by default with the normalization option BASE
%2e.(dot)Enabled by default with the normalization option BASE
%2f/(forward slash)Disabled by default, can be enabled with the normalization option DECODEAND_MERGE_SLASHES
%30 - %390 - 9(digit)Enabled by default with the normalization option BASE
%41 - %5aA - Z(letters in uppercase)Enabled by default with the normalization option BASE
%5c\(backslash)Disabled by default, can be enabled with the normalization option DECODE_AND_MERGE_SLASHES
%5f(underscore)Enabled by default with the normalization option BASE
%61 - %7aa - z(letters in lowercase)Enabled by default with the normalization option BASE
%7e~(tilde)Enabled by default with the normalization option BASE

For example, the request with path /some%2fdata/%61%62%63 will be normalized to /some/data/abc.

2. Backslash (\)

Istio will normalize the backslash \ to the forward slash /. For example, the request with path /some\data will be normalized to /some/data.

This is enabled by default with the normalization option BASE.

3. Multiple forward slashes (//, ///, etc.)

Istio will merge multiple forward slashes to a single forward slash (/). For example, the request with path /some//data///abc will be normalized to /some/data/abc.

This is disabled by default but can be enabled with the normalization option MERGE_SLASHES. If enabled, the path may not match a path with the path template operator {**}. For example, once MERGE_SLASHES is enabled, /some/data//abc will no longer match /some/data/{**}/abc since the path will be normalized to /some/data/abc.

4. Single dot and double dots (/./, /../)

Istio will resolve single dot /./ and double dot /../ according to RFC 3986. The single dot will be resolved as the current directory, and the double dots will be resolved as the parent directory.

For example, /public/./data/abc/../xyz will be normalized to /public/data/xyz.

This is enabled by default with the normalization option BASE.

5. Path with query (/foo?v=1)

Istio authorization policy will remove anything after the question mark (?) when comparing with the path. Note the backend application will still see the query.

This is enabled by default.

This applies to the methods and notMethods field.

1. Method not in upper case

Istio will reject requests with HTTP 400 if the verb in the HTTP request is not in upper case.

This is enabled by default.

This applies to the header name specified in the request.headers[<header-name>] condition.

1. Case-insensitive matching

Istio authorization policy will compare the header name with a case-insensitive approach.

This is enabled by default.

2. Duplicate headers

Istio will merge duplicate headers to a single header by concatenating all values using comma as a separator.

The authorization policy will do a simple string match on the merged headers. For example, a request with header x-header: foo and x-header: bar will be merged to x-header: foo,bar.

This is enabled by default.

3. White space in header name

Istio will reject requests with HTTP 400 if the header name includes any white spaces.

This is enabled by default.