Cloudflare Docs
Visit Rules on GitHub
Set theme to dark (⇧+D)

How URL normalization works

URL normalization modifies separators, encoded elements, and literal bytes in incoming URLs so that they conform to a consistent formatting standard.

For example, consider a WAF custom rule that blocks requests whose URLs match The rule would not block a request containing an encoded element — Normalizing incoming URLs on the Cloudflare global network helps simplify rule expressions that use URLs.

The URL normalization performed according to RFC 3986 is as follows:

  • The following unreserved characters are percent decoded:
    • Alphabetical characters: a-z, A-Z (decoded from %41-%5A and %61-%7A)
    • Digit characters: 0-9 (decoded from %30-%39)
    • hyphen - (%2D), period . (%2E), underscore _ (%5F), and tilde ~ (%7E)
  • These reserved characters are not encoded or decoded: : / ? # [ ] @ ! $ & ' ( ) * + , ; =
  • Other characters, for example literal byte values, are percent encoded.
  • Percent encoded representations are converted to upper case.
  • URL paths are normalized according to the Remove Dot Segments protocol.

In addition to the rules defined in RFC 3986, Cloudflare can apply the following extra normalization techniques:

  • Normalize back slashes (\) into forward slashes (/).
  • Merge successive forward slashes (for example, // will be normalized to /).

The performed URL normalization varies according to the configured settings. For more information, refer to URL normalization settings.

​​ URL normalization examples

The following table shows some examples of URL normalization when using the Cloudflare normalization type:

URLNormalized URL\\