Package io.envoyproxy.envoy.extensions.http.header_validators.envoy_default.v3

Class HeaderValidatorConfig

java.lang.Object
com.google.protobuf.AbstractMessageLite
com.google.protobuf.AbstractMessage
com.google.protobuf.GeneratedMessageV3
io.envoyproxy.envoy.extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig
All Implemented Interfaces:
com.google.protobuf.Message, com.google.protobuf.MessageLite, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, HeaderValidatorConfigOrBuilder, Serializable
public final class HeaderValidatorConfig extends com.google.protobuf.GeneratedMessageV3 implements HeaderValidatorConfigOrBuilder
 This extension validates that HTTP request and response headers are well formed according to respective RFCs.

 The validator performs comprehensive HTTP header validation including:

 #. HTTP/1 header map validity according to `RFC 7230 section 3.2 <https://datatracker.ietf.org/doc/html/rfc7230#section-3.2>`_.
 #. Syntax of HTTP/1 request target URI and response status.
 #. HTTP/2 header map validity according to `RFC 7540 section 8.1.2 <https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2>`_.
 #. Syntax of HTTP/2 pseudo headers.
 #. HTTP/3 header map validity according to `RFC 9114 section 4.3  <https://www.rfc-editor.org/rfc/rfc9114.html>`_.
 #. Syntax of HTTP/3 pseudo headers.
 #. Syntax of Content-Length and Transfer-Encoding.
 #. Validation of HTTP/1 requests with both ``Content-Length`` and ``Transfer-Encoding`` headers.
 #. Normalization of the URI path according to `Normalization and Comparison <https://datatracker.ietf.org/doc/html/rfc3986#section-6>`_
    without `case normalization <https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.1>`_.

 This validator ensures that HTTP traffic processed by Envoy conforms to established
 standards and helps prevent issues caused by malformed headers or invalid HTTP syntax.

 [#comment:TODO(yanavlasov): Put #extension: envoy.http.header_validators.envoy_default after it is not hidden any more]
 [#next-free-field: 6]
Protobuf type envoy.extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig
See Also:

  • Field Details

    • HTTP1_PROTOCOL_OPTIONS_FIELD_NUMBER

      public static final int HTTP1_PROTOCOL_OPTIONS_FIELD_NUMBER
      See Also:

    • URI_PATH_NORMALIZATION_OPTIONS_FIELD_NUMBER

      public static final int URI_PATH_NORMALIZATION_OPTIONS_FIELD_NUMBER
      See Also:

    • RESTRICT_HTTP_METHODS_FIELD_NUMBER

      public static final int RESTRICT_HTTP_METHODS_FIELD_NUMBER
      See Also:

    • HEADERS_WITH_UNDERSCORES_ACTION_FIELD_NUMBER

      public static final int HEADERS_WITH_UNDERSCORES_ACTION_FIELD_NUMBER
      See Also:

    • STRIP_FRAGMENT_FROM_PATH_FIELD_NUMBER

      public static final int STRIP_FRAGMENT_FROM_PATH_FIELD_NUMBER
      See Also:

  • Method Details

    • newInstance

      protected Object newInstance(com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter unused)
      Overrides:
      newInstance in class com.google.protobuf.GeneratedMessageV3

    • getDescriptor

      public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

    • internalGetFieldAccessorTable

      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
      Specified by:
      internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3

    • hasHttp1ProtocolOptions

      public boolean hasHttp1ProtocolOptions()
       HTTP/1 protocol specific options.
 These settings control HTTP/1 specific validation behaviors.
      .envoy.extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.Http1ProtocolOptions http1_protocol_options = 1;
      Specified by:
      hasHttp1ProtocolOptions in interface HeaderValidatorConfigOrBuilder
      Returns:
      Whether the http1ProtocolOptions field is set.

    • getHttp1ProtocolOptions

      public HeaderValidatorConfig.Http1ProtocolOptions getHttp1ProtocolOptions()
       HTTP/1 protocol specific options.
 These settings control HTTP/1 specific validation behaviors.
      .envoy.extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.Http1ProtocolOptions http1_protocol_options = 1;
      Specified by:
      getHttp1ProtocolOptions in interface HeaderValidatorConfigOrBuilder
      Returns:
      The http1ProtocolOptions.

    • getHttp1ProtocolOptionsOrBuilder

      public HeaderValidatorConfig.Http1ProtocolOptionsOrBuilder getHttp1ProtocolOptionsOrBuilder()
       HTTP/1 protocol specific options.
 These settings control HTTP/1 specific validation behaviors.
      .envoy.extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.Http1ProtocolOptions http1_protocol_options = 1;
      Specified by:
      getHttp1ProtocolOptionsOrBuilder in interface HeaderValidatorConfigOrBuilder

    • hasUriPathNormalizationOptions

      public boolean hasUriPathNormalizationOptions()
       The URI path normalization options.

 By default Envoy normalizes URI path using the default values of the :ref:`UriPathNormalizationOptions
 <envoy_v3_api_msg_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions>`.
 URI path transformations specified by the ``uri_path_normalization_options`` configuration can be applied to a portion
 of requests by setting the ``envoy_default_header_validator.uri_path_transformations`` runtime value.

 .. attention::

   Disabling path normalization may lead to path confusion vulnerabilities in access control or incorrect service
   selection.
      .envoy.extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions uri_path_normalization_options = 2;
      Specified by:
      hasUriPathNormalizationOptions in interface HeaderValidatorConfigOrBuilder
      Returns:
      Whether the uriPathNormalizationOptions field is set.

    • getUriPathNormalizationOptions

      public HeaderValidatorConfig.UriPathNormalizationOptions getUriPathNormalizationOptions()
       The URI path normalization options.

 By default Envoy normalizes URI path using the default values of the :ref:`UriPathNormalizationOptions
 <envoy_v3_api_msg_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions>`.
 URI path transformations specified by the ``uri_path_normalization_options`` configuration can be applied to a portion
 of requests by setting the ``envoy_default_header_validator.uri_path_transformations`` runtime value.

 .. attention::

   Disabling path normalization may lead to path confusion vulnerabilities in access control or incorrect service
   selection.
      .envoy.extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions uri_path_normalization_options = 2;
      Specified by:
      getUriPathNormalizationOptions in interface HeaderValidatorConfigOrBuilder
      Returns:
      The uriPathNormalizationOptions.

    • getUriPathNormalizationOptionsOrBuilder

      public HeaderValidatorConfig.UriPathNormalizationOptionsOrBuilder getUriPathNormalizationOptionsOrBuilder()
       The URI path normalization options.

 By default Envoy normalizes URI path using the default values of the :ref:`UriPathNormalizationOptions
 <envoy_v3_api_msg_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions>`.
 URI path transformations specified by the ``uri_path_normalization_options`` configuration can be applied to a portion
 of requests by setting the ``envoy_default_header_validator.uri_path_transformations`` runtime value.

 .. attention::

   Disabling path normalization may lead to path confusion vulnerabilities in access control or incorrect service
   selection.
      .envoy.extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions uri_path_normalization_options = 2;
      Specified by:
      getUriPathNormalizationOptionsOrBuilder in interface HeaderValidatorConfigOrBuilder

    • getRestrictHttpMethods

      public boolean getRestrictHttpMethods()
       Restrict HTTP methods to these defined in the `RFC 7231 section 4.1 <https://datatracker.ietf.org/doc/html/rfc7231#section-4.1>`_.

 Envoy will respond with 400 to requests with disallowed methods.
 By default methods with arbitrary names are accepted.

 This setting helps enforce HTTP compliance and can prevent attacks that rely on
 non-standard HTTP methods.
      bool restrict_http_methods = 3;
      Specified by:
      getRestrictHttpMethods in interface HeaderValidatorConfigOrBuilder
      Returns:
      The restrictHttpMethods.

    • getHeadersWithUnderscoresActionValue

      public int getHeadersWithUnderscoresActionValue()
       Action to take when a client request with a header name containing underscore characters is received.

 If this setting is not specified, the value defaults to ``ALLOW``.

 This setting provides security control over headers with underscores, which can be a source
 of security issues when different systems interpret underscores and hyphens differently.
      .envoy.extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.HeadersWithUnderscoresAction headers_with_underscores_action = 4;
      Specified by:
      getHeadersWithUnderscoresActionValue in interface HeaderValidatorConfigOrBuilder
      Returns:
      The enum numeric value on the wire for headersWithUnderscoresAction.

    • getHeadersWithUnderscoresAction

      public HeaderValidatorConfig.HeadersWithUnderscoresAction getHeadersWithUnderscoresAction()
       Action to take when a client request with a header name containing underscore characters is received.

 If this setting is not specified, the value defaults to ``ALLOW``.

 This setting provides security control over headers with underscores, which can be a source
 of security issues when different systems interpret underscores and hyphens differently.
      .envoy.extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.HeadersWithUnderscoresAction headers_with_underscores_action = 4;
      Specified by:
      getHeadersWithUnderscoresAction in interface HeaderValidatorConfigOrBuilder
      Returns:
      The headersWithUnderscoresAction.

    • getStripFragmentFromPath

      public boolean getStripFragmentFromPath()
       Allow requests with fragment in URL path and strip the fragment before request processing.

 By default Envoy rejects requests with fragment in URL path. When this option is enabled,
 the fragment portion (everything after ``#``) will be removed from the path before
 further processing.

 Fragments are typically used by client-side applications and should not normally
 be sent to the server, so stripping them can help normalize requests.
      bool strip_fragment_from_path = 5;
      Specified by:
      getStripFragmentFromPath in interface HeaderValidatorConfigOrBuilder
      Returns:
      The stripFragmentFromPath.

    • isInitialized

      public final boolean isInitialized()
      Specified by:
      isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
      Overrides:
      isInitialized in class com.google.protobuf.GeneratedMessageV3

    • writeTo

      public void writeTo(com.google.protobuf.CodedOutputStream output) throws IOException
      Specified by:
      writeTo in interface com.google.protobuf.MessageLite
      Overrides:
      writeTo in class com.google.protobuf.GeneratedMessageV3
      Throws:
      IOException

    • getSerializedSize

      public int getSerializedSize()
      Specified by:
      getSerializedSize in interface com.google.protobuf.MessageLite
      Overrides:
      getSerializedSize in class com.google.protobuf.GeneratedMessageV3

    • equals

      public boolean equals(Object obj)
      Specified by:
      equals in interface com.google.protobuf.Message
      Overrides:
      equals in class com.google.protobuf.AbstractMessage

    • hashCode

      public int hashCode()
      Specified by:
      hashCode in interface com.google.protobuf.Message
      Overrides:
      hashCode in class com.google.protobuf.AbstractMessage

    • parseFrom

      public static HeaderValidatorConfig parseFrom(ByteBuffer data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static HeaderValidatorConfig parseFrom(ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static HeaderValidatorConfig parseFrom(com.google.protobuf.ByteString data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static HeaderValidatorConfig parseFrom(com.google.protobuf.ByteString data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static HeaderValidatorConfig parseFrom(byte[] data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static HeaderValidatorConfig parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static HeaderValidatorConfig parseFrom(InputStream input) throws IOException
      Throws:
      IOException

    • parseFrom

      public static HeaderValidatorConfig parseFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException

    • parseDelimitedFrom

      public static HeaderValidatorConfig parseDelimitedFrom(InputStream input) throws IOException
      Throws:
      IOException

    • parseDelimitedFrom

      public static HeaderValidatorConfig parseDelimitedFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException

    • parseFrom

      public static HeaderValidatorConfig parseFrom(com.google.protobuf.CodedInputStream input) throws IOException
      Throws:
      IOException

    • parseFrom

      public static HeaderValidatorConfig parseFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException

    • newBuilderForType

      public HeaderValidatorConfig.Builder newBuilderForType()
      Specified by:
      newBuilderForType in interface com.google.protobuf.Message
      Specified by:
      newBuilderForType in interface com.google.protobuf.MessageLite

    • newBuilder

      public static HeaderValidatorConfig.Builder newBuilder()

    • newBuilder

      public static HeaderValidatorConfig.Builder newBuilder(HeaderValidatorConfig prototype)

    • toBuilder

      public HeaderValidatorConfig.Builder toBuilder()
      Specified by:
      toBuilder in interface com.google.protobuf.Message
      Specified by:
      toBuilder in interface com.google.protobuf.MessageLite

    • newBuilderForType

      protected HeaderValidatorConfig.Builder newBuilderForType(com.google.protobuf.GeneratedMessageV3.BuilderParent parent)
      Specified by:
      newBuilderForType in class com.google.protobuf.GeneratedMessageV3

    • getDefaultInstance

      public static HeaderValidatorConfig getDefaultInstance()

    • parser

      public static com.google.protobuf.Parser<HeaderValidatorConfig> parser()

    • getParserForType

      public com.google.protobuf.Parser<HeaderValidatorConfig> getParserForType()
      Specified by:
      getParserForType in interface com.google.protobuf.Message
      Specified by:
      getParserForType in interface com.google.protobuf.MessageLite
      Overrides:
      getParserForType in class com.google.protobuf.GeneratedMessageV3

    • getDefaultInstanceForType

      public HeaderValidatorConfig getDefaultInstanceForType()
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder