Google Cloud Application Load Balancer - HTTP/2 Request Path Validation Issue

Question

Recently received an email from Google Cloud regarding an upcoming change to the Classic Application Load Balancer that will take effect from March 31, 2025. According to the email, HTTP/2 request path validation will be updated to more strictly adhere to the URI specification. This means that requests with invalid characters in the request path will be rejected with a 400 - invalid_http2_client_request_path error.

Here is the email I received for reference:

Hello Application Load Balancer Customer,

We're writing to remind you of an upcoming change to the Classic Application Load Balancer impacting your projects starting March 31, 2025. The load balancer HTTP/2 implementation is being changed to improve request path validation to more strictly adhere to the URI specification.

We have put together some resources to help you understand the upcoming changes.

What you need to know

Starting March 31, 2025, we will begin rejecting all HTTP/2 requests if the path contains a character that isn't one of the following:

An allowed ASCII character specified in RFC 3986, sections 3.3 and 3.4.

One of the following special allowed characters: [ ] { } | ^ \

Note: All other characters must be properly URL-encoded.

What you need to do

We encourage you to review your existing traffic to ensure requests are using valid characters in the request path.

If the request path contains invalid characters, the request will be rejected with the following response details:

Response code: 400

Status detail: invalid_http2_client_request_path

For more information on the failure response codes, please review the status Details HTTP failure messages documentation.

We’re here to help

You can refer to the following resources for more information on the HTTP specification:

[URI Path Specification]

[URI Query Specification]

Your affected projects are listed below:

production-application

Thanks for choosing Application Load Balancer.

---

What I Have Understood So Far :-

• The request path must only contain allowed ASCII characters as per RFC 3986, sections 3.3 and 3.4.

• Additionally, the following special characters are allowed: [ ] { } | ^ \

• Any other character must be properly URL-encoded.

What I Have Tried

Checked Logs: I reviewed my logs to identify any requests that might contain invalid characters.

Read Documentation: I referred to Google Cloud’s documentation on failure response codes and HTTP specifications but still need more clarity on how to fix this issue in my application.

My Questions

1. How can I identify which specific requests are causing issues?

• Are there specific logging techniques or tools that can help me pinpoint problematic request paths?

2. What are the exact set of characters that need to be URL-encoded?

• Is there a definitive list of characters that are not allowed in the request path?

3. How should I handle this update in my application?

• Should I implement pre-validation before sending requests to the load balancer?

• Are there any recommended best practices or scripts to validate and encode request paths before they hit the ALB?

4. Has anyone else faced this issue and how did you resolve it?

• If you’ve already dealt with a similar validation update, what changes did you make in your application to comply with it?

My affected project is production-application, but I assume this update applies to all Classic Application Load Balancers using HTTP/2.