This directive changes the rules applied to the HTTP Request Line (RFC 7230 §3.1.1) and the HTTP Request Header Fields (RFC 7230 §3.2), which are now applied by default or using the Strict option. Due to legacy modules, applications or custom user-agents which must be deprecated the Unsafe option has been added to revert to the legacy behaviors.

These rules are applied prior to request processing, so must be configured at the global or default (first) matching virtual host section, by IP/port interface (and not by name) to be honored.

The directive accepts three parameters from the following list of choices, applying the default to the ones not specified:

Strict|Unsafe

Prior to the introduction of this directive, the Apache HTTP Server request message parsers were tolerant of a number of forms of input which did not conform to the protocol. RFC 7230 §9.4 Request Splitting and §9.5 Response Smuggling call out only two of the potential risks of accepting non-conformant request messages, while RFC 7230 §3.5 "Message Parsing Robustness" identify the risks of accepting obscure whitespace and request message formatting. As of the introduction of this directive, all grammar rules of the specification are enforced in the default Strict operating mode, and the strict whitespace suggested by section 3.5 is enforced and cannot be relaxed.

Security risks of Unsafe

Users are strongly cautioned against toggling the Unsafe mode of operation, particularly on outward-facing, publicly accessible server deployments. If an interface is required for faulty monitoring or other custom service consumers running on an intranet, users should toggle the Unsafe option only on a specific virtual host configured to service their internal private network.

Example of a request leading to HTTP 400 with Strict mode

# Missing CRLF
GET / HTTP/1.0\n\n

Command line tools and CRLF

Some tools need to be forced to use CRLF, otherwise httpd will return a HTTP 400 response like described in the above use case. For example, the OpenSSL s_client needs the -crlf parameter to work properly.

The DumpIOInput directive can help while reviewing the HTTP request to identify issues like the absence of CRLF.

RegisteredMethods|LenientMethods

RFC 7231 §4.1 "Request Methods" "Overview" requires that origin servers shall respond with a HTTP 501 status code when an unsupported method is encountered in the request line. This already happens when the LenientMethods option is used, but administrators may wish to toggle the RegisteredMethods option and register any non-standard methods using the RegisterHttpMethod directive, particularly if the Unsafe option has been toggled.

Forward Proxy compatibility

The RegisteredMethods option should not be toggled for forward proxy hosts, as the methods supported by the origin servers are unknown to the proxy server.

Example of a request leading to HTTP 501 with LenientMethods mode

# Unknown HTTP method
WOW / HTTP/1.0\r\n\r\n

# Lowercase HTTP method
get / HTTP/1.0\r\n\r\n


Allow0.9|Require1.0

RFC 2616 §19.6 "Compatibility With Previous Versions" had encouraged HTTP servers to support legacy HTTP/0.9 requests. RFC 7230 supersedes this with "The expectation to support HTTP/0.9 requests has been removed" and offers additional comments in RFC 7230 Appendix A. The Require1.0 option allows the user to remove support of the default Allow0.9 option's behavior.

Example of a request leading to HTTP 400 with Require1.0 mode

# Unsupported HTTP version
GET /\r\n\r\n

Reviewing the messages logged to the ErrorLog , configured with LogLevel debug level, can help identify such faulty requests along with their origin. Users should pay particular attention to the 400 responses in the access log for invalid requests which were unexpectedly rejected.