Parameter:
HTTPAllowDecodedUrlPercentShort description: Allows or blocks decoded
% characters in URL paths – protection measure against HTTP smuggling and path-traversal attacks.Profile
Parameter | HTTPAllowDecodedUrlPercent |
Category | HTTP / Web |
Component | Server |
Available since | 10.0 |
Supported versions | 10.0, 11.0, 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0 = block (recommended), 1 = allow (compatibility mode) |
Description
After the first URL decoding, a remaining
% character in the path (e.g. due to double encoding such as %2570) can be an indicator of a smuggling / path-traversal attempt. Domino rejects such URLs by default (HTTPAllowDecodedUrlPercent=0). With 1, the strict check is lifted – only useful if legitimate applications really require % characters in decoded paths.For Internet-exposed servers,
0 is strongly recommended.Example configuration
HTTPAllowDecodedUrlPercent=0
Notes & pitfalls
- Takes effect after
restart task http.
1actively weakens a security boundary – enable only temporarily and intentionally if a legacy app really needs it.
- Complements
HTTPDisableMethods,HTTPDisableTRACE, and reverse-proxy WAFs.
- Suspicious entries appear in the HTTP log with
400 Bad Request.