403 Forbidden for URLs with encoded slashes
When URLs contain encoded slashes (%2F), Adobe Experience Manager as a Cloud Service can return a 403 Forbidden error. This occurs due to CDN-level security hardening designed to block patterns that could be exploited for malicious traffic or DDoS attacks. To resolve this, update application logic so valid user flows do not rely on encoded slashes and ensure URLs comply with Adobe’s security standards.
Description description
Environment
Adobe Experience Manager as a Cloud Service (AEMaaCS)
Issue/Symptoms
You can see the following error when accessing AEM pages or APIs that include encoded slashes in the URL path:
403 ForbiddenReason: DDOSBlockedPatternEncodedSlashes
Where it appears:
- In the browser when navigating to a page with encoded slashes.
- In API responses when calling endpoints with
%2Fin the path. - In CDN logs or network traces (for example, Chrome DevTools
>Network tab).
Resolution resolution
Cause
This behavior is by design and part of Adobe’s Fastly CDN security hardening. It mitigates malicious traffic patterns, including potential DDoS vectors that abuse encoded path traversal. These protections are managed centrally by Adobe and are not customer‑configurable.
To fix the issue, follow these steps:
- Start by identifying affected URLs. Review how your application uses encoded slashes. Use browser developer tools or CDN/AEM diagnostics to find requests returning 403 with a reason such as DDOSBlockedPatternEncodedSlashes. Avoid encoded slashes in the path wherever possible.
- Remove reliance on encoded slashes in URL paths. If your application does not semantically require %2F, replace it with / or move opaque data into query parameters or another encoding method to maintain cleaner and more secure URL structures.
- Test in lower environments first. Before applying changes to production, use Dev or Stage environments to check for 403 responses as an early warning. This ensures issues are caught early without impacting live traffic.
- Verify application behavior after adjustments. Confirm that removing encoded slashes or changing the URL structure does not break legitimate functionality, such as routing, security checks, or caching.
Additional information
These protections are rolled out progressively, starting with lower environments and then extending to Production. Treat 403 responses on Dev/Stage as early warnings.
Related reading
- Configuring Traffic at the CDN in the AEM as a Cloud Service User Guide.
- Traffic Filter Rules including WAF Rules in the AEM as a Cloud Service User Guide.
- Blocking DoS, DDoS and sophisticated attacks using traffic filter rules in the AEM as a Cloud Service Tutorials.