Cloudflare Proxied Protection exception

Our mobile app keep getting session timeout after login if Cloudflare Proxied Protection is enabled :

We suspect the very likely rootcause as following:
a) Mobile app sends session-token via a custom HTTP header having symbols (dot) in its name.
b) Cloudflare does not forward header with symbols (dot) in its name.

Currently, we can only think of the solution below:-
Enable RFC7230 headers on Cloudflare, which should support dot in headers

Beside this, any other solution able to resolve the above issue? Thank you.

Cloudflare does not seem to support dots in HTTP header field names. I just tested this by deploying a quick Worker that echoes HTTP request headers back, and a header with a dot in the name is dropped.

While I understand the annoyance, this is the kind of change that, realistically, won’t get done quickly, if at all. It would be a lot easier to change your application to not use a dot in the field name. I don’t think very many people realize they are allowed (I didn’t, until I saw your post and checked) and a lot of software probably won’t deal with them correctly.

1 Like

NGINX removes headers with a dot in the name by default. Cloudflare’s web-server is a fork of NGINX, therefore Cloudflare also removes headers with a dot in the name.

While RFC7230 states that dots are allowed in HTTP header names, the use of them is very uncommon and many web-servers simply do not allow them for security reasons (e.g. User.Agent would be normalized to $HTTP_USER_AGENT).

I highly doubt Cloudflare will ever allow the use of dots in header names, simply because of the low demand and potential security issues. The solution here would be to update your app so it does not use dots in header names.


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.