Prepare release v2.11.33

Bump webui to NodeJS v24
Print access logs for rejected requests and warn about new behavior
2025-12-24 16:24:11 +03:00 · 2025-12-17 10:56:04 +01:00 · 2025-12-17 10:36:05 +01:00 · 2025-12-16 16:20:05 +01:00 · 2025-12-09 15:28:04 +01:00 · 2025-12-08 10:44:04 +01:00
44 changed files with 1297 additions and 162 deletions
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -24,7 +24,7 @@ jobs:

    strategy:
      matrix:
-        os: [ linux-amd64, linux-386, linux-arm, linux-arm64, linux-ppc64le, linux-s390x, linux-riscv64, darwin, windows-amd64, windows-arm64, windows-386, freebsd, openbsd ]
+        os: [ linux-amd64, linux-386, linux-arm, linux-arm64, linux-ppc64le, linux-s390x, linux-riscv64, darwin-amd64, darwin-arm64, windows-amd64, windows-arm64, windows-386, freebsd-amd64, freebsd-386, openbsd-amd64, openbsd-386, openbsd-riscv64 ]
    needs:
      - build-webui

--- a/.github/workflows/template-webui.yaml
+++ b/.github/workflows/template-webui.yaml
@@ -1,6 +1,8 @@
 name: Build Web UI
 on:
  workflow_call: {}
+env:
+  SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS: 360  # 15 days
 jobs:

  build-webui:
@@ -19,10 +21,16 @@ jobs:
          cache: yarn
          cache-dependency-path: webui/yarn.lock

+      - name: Setup safe-chain
+        working-directory: ./webui
+        run: |
+          npm i -g @aikidosec/safe-chain
+          safe-chain setup-ci
+
      - name: Build webui
        working-directory: ./webui
        run: |
-          yarn install
+          yarn install --ignore-scripts
          yarn build

      - name: Package webui
--- a/.github/workflows/test-unit.yaml
+++ b/.github/workflows/test-unit.yaml
@@ -80,7 +80,12 @@ jobs:
          cache: 'yarn'
          cache-dependency-path: webui/yarn.lock

+      - name: Setup safe-chain
+        run: |
+          npm i -g @aikidosec/safe-chain
+          safe-chain setup-ci
+
      - name: UI unit tests
        run: |
-          yarn --cwd webui install
+          yarn --cwd webui install --ignore-scripts
          yarn --cwd webui test:unit:ci
--- a/.goreleaser.yml.tmpl
+++ b/.goreleaser.yml.tmpl
@@ -54,10 +54,12 @@ changelog:
 archives:
  - id: traefik
    name_template: '{{ .ProjectName }}_v{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}'
-    format: tar.gz
+    formats:
+      - tar.gz
    format_overrides:
      - goos: windows
-        format: zip
+        formats:
+          - zip
    files:
      - LICENSE.md
      - CHANGELOG.md
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,34 @@
+## [v2.11.33](https://github.com/traefik/traefik/tree/v2.11.33) (2025-12-17)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.32...v2.11.33)
+
+**Bug fixes:**
+- **[server]** Print access logs for rejected requests and warn about new behavior ([#12426](https://github.com/traefik/traefik/pull/12426) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- Clarify doc about encoded characters rejection ([#12391](https://github.com/traefik/traefik/pull/12391) by [rtribotte](https://github.com/rtribotte))
+- Fix encoded characters entryPoint option documentation ([#12384](https://github.com/traefik/traefik/pull/12384) by [rtribotte](https://github.com/rtribotte))
+- Fix encoded characters option documentation ([#12373](https://github.com/traefik/traefik/pull/12373) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.11.32](https://github.com/traefik/traefik/tree/v2.11.32) (2025-12-04)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.31...v2.11.32)
+
+**Bug fixes:**
+- **[server]** Reject suspicious encoded characters ([#12360](https://github.com/traefik/traefik/pull/12360) by [rtribotte](https://github.com/rtribotte))
+- **[plugins]** Validate plugin module name ([#12291](https://github.com/traefik/traefik/pull/12291) by [kevinpollet](https://github.com/kevinpollet))
+- **[http3]** Bump github.com/quic-go/quic-go to v0.57.1 ([#12319](https://github.com/traefik/traefik/pull/12319) by [GreyXor](https://github.com/GreyXor))
+- **[http3]** Bump github.com/quic-go/quic-go to v0.57.0 ([#12308](https://github.com/traefik/traefik/pull/12308) by [GreyXor](https://github.com/GreyXor))
+- **[server]** Bump golang.org/x/crypto to v0.45.0 ([#12296](https://github.com/traefik/traefik/pull/12296) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- Update SECURITY.md to streamline information ([#12310](https://github.com/traefik/traefik/pull/12310) by [emilevauge](https://github.com/emilevauge))
+- Update SECURITY.md ([#12304](https://github.com/traefik/traefik/pull/12304) by [cwayne18](https://github.com/cwayne18))
+
+## [v2.11.31](https://github.com/traefik/traefik/tree/v2.11.31) (2025-11-13)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.30...v2.11.31)
+
+**Bug fixes:**
+- **[docker,docker/swarm]** Auto-negotiate Docker API version ([#12262](https://github.com/traefik/traefik/pull/12262) by [kevinpollet](https://github.com/kevinpollet))
+
 ## [v2.11.30](https://github.com/traefik/traefik/tree/v2.11.30) (2025-10-28)
 [All Commits](https://github.com/traefik/traefik/compare/v2.11.29...v2.11.30)

--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,10 +1,5 @@
 # Security Policy

-You can join our security mailing list to be aware of the latest announcements from our security team.
-You can subscribe by sending an email to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
-
-Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
-
 ## Supported Versions

 - We usually release 3/4 new versions (e.g. 1.1.0, 1.2.0, 1.3.0) per year.
@@ -17,10 +12,10 @@ We use [Semantic Versioning](https://semver.org/).

 | Version   | Supported          |
 |-----------|--------------------|
-| `2.2.x`   | :white_check_mark: |
-| `< 2.2.x` | :x:                |
-| `1.7.x`   | :white_check_mark: |
-| `< 1.7.x` | :x:                |
+| `3.6.x`   | :white_check_mark: |
+| `< 3.6.x` | :x:                |
+| `2.11.x`   | :white_check_mark: |
+| `< 2.11.x` | :x:                |

 ## Reporting a Vulnerability

@@ -28,3 +23,5 @@ We want to keep Traefik safe for everyone.
 If you've discovered a security vulnerability in Traefik,
 we appreciate your help in disclosing it to us in a responsible manner,
 by creating a [security advisory](https://github.com/traefik/traefik/security/advisories).
+
+Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -87,6 +87,11 @@ Complete documentation is available at https://traefik.io`,
 func runCmd(staticConfiguration *static.Configuration) error {
 	configureLogging(staticConfiguration)

+	// Display warning to advertise for new behavior of rejecting encoded characters in the request path.
+	// Deprecated: this has to be removed in the next minor/major version.
+	log.WithoutContext().Warnf("Starting with v2.11.32, Traefik now rejects some encoded characters in the request path by default. " +
+		"Refer to the documentation for more details: https://doc.traefik.io/traefik/v2.11/migration/v2/#encoded-characters-in-request-path")
+
 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment

 	if err := roundrobin.SetDefaultWeight(0); err != nil {
--- a/docs/content/migration/v2.md
+++ b/docs/content/migration/v2.md
@@ -714,3 +714,26 @@ It appears that enabling MPTCP on some platforms can cause Traefik to stop with
 - `set tcp X.X.X.X:X->X.X.X.X:X: setsockopt: operation not supported`

 However, it can be re-enabled by setting the `multipathtcp` variable in the GODEBUG environment variable, see the related [go documentation](https://go.dev/doc/godebug#go-124).
+
+## v2.11.32
+
+### Encoded Characters in Request Path
+
+Since `v2.11.32`, for security reasons Traefik now rejects requests with a path containing a specific set of encoded characters by default.
+When such a request is received, Traefik responds with a `400 Bad Request` status code.
+Here is the list of the encoded characters that are rejected by default, along with the corresponding configuration option to allow them:
+
+| Encoded Character | Character               | Config option to allow the encoded character                                         |
+|-------------------|-------------------------|--------------------------------------------------------------------------------------|
+| `%2f` or `%2F`    | `/` (slash)             | `entryPoints.<name>`<br/>`.http.encodedCharacters`<br/>`.allowEncodedSlash`          |
+| `%5c` or `%5C`    | `\` (backslash)         | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedBackSlash`     |
+| `%00`             | `NULL` (null character) | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedNullCharacter` |
+| `%3b` or `%3B`    | `;` (semicolon)         | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedSemicolon`     |
+| `%25`             | `%` (percent)           | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedPercent`       |
+| `%3f` or `%3F`    | `?` (question mark)     | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedQuestionMark`  |
+| `%23`             | `#` (hash)              | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedHash`          |
+
+Note: This check is not done against query parameters,
+but only against the request path as defined in [RFC3986 section-3](https://datatracker.ietf.org/doc/html/rfc3986#section-3).
+
+Please check out the entrypoint [encodedCharacters option](../routing/entrypoints.md#encoded-characters) documentation for more details.
--- a/docs/content/reference/static-configuration/cli-ref.md
+++ b/docs/content/reference/static-configuration/cli-ref.md
@@ -123,6 +123,30 @@ Trust only forwarded headers from selected IPs.
 `--entrypoints.<name>.http`:  
 HTTP configuration.

+`--entrypoints.<name>.http.encodedcharacters`:  
+Defines which encoded characters are allowed in the request path.
+
+`--entrypoints.<name>.http.encodedcharacters.allowencodedbackslash`:  
+Defines whether requests with encoded back slash characters in the path are allowed. (Default: ```false```)
+
+`--entrypoints.<name>.http.encodedcharacters.allowencodedhash`:  
+Defines whether requests with encoded hash characters in the path are allowed. (Default: ```false```)
+
+`--entrypoints.<name>.http.encodedcharacters.allowencodednullcharacter`:  
+Defines whether requests with encoded null characters in the path are allowed. (Default: ```false```)
+
+`--entrypoints.<name>.http.encodedcharacters.allowencodedpercent`:  
+Defines whether requests with encoded percent characters in the path are allowed. (Default: ```false```)
+
+`--entrypoints.<name>.http.encodedcharacters.allowencodedquestionmark`:  
+Defines whether requests with encoded question mark characters in the path are allowed. (Default: ```false```)
+
+`--entrypoints.<name>.http.encodedcharacters.allowencodedsemicolon`:  
+Defines whether requests with encoded semicolon characters in the path are allowed. (Default: ```false```)
+
+`--entrypoints.<name>.http.encodedcharacters.allowencodedslash`:  
+Defines whether requests with encoded slash characters in the path are allowed. (Default: ```false```)
+
 `--entrypoints.<name>.http.encodequerysemicolons`:  
 Defines whether request query semicolons should be URLEncoded. (Default: ```false```)

--- a/docs/content/reference/static-configuration/env-ref.md
+++ b/docs/content/reference/static-configuration/env-ref.md
@@ -132,6 +132,30 @@ HTTP/3 configuration. (Default: ```false```)
 `TRAEFIK_ENTRYPOINTS_<NAME>_HTTP3_ADVERTISEDPORT`:  
 UDP port to advertise, on which HTTP/3 is available. (Default: ```0```)

+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS`:  
+Defines which encoded characters are allowed in the request path.
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDBACKSLASH`:  
+Defines whether requests with encoded back slash characters in the path are allowed. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH`:  
+Defines whether requests with encoded hash characters in the path are allowed. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDNULLCHARACTER`:  
+Defines whether requests with encoded null characters in the path are allowed. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDPERCENT`:  
+Defines whether requests with encoded percent characters in the path are allowed. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDQUESTIONMARK`:  
+Defines whether requests with encoded question mark characters in the path are allowed. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSEMICOLON`:  
+Defines whether requests with encoded semicolon characters in the path are allowed. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH`:  
+Defines whether requests with encoded slash characters in the path are allowed. (Default: ```false```)
+
 `TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEQUERYSEMICOLONS`:  
 Defines whether request query semicolons should be URLEncoded. (Default: ```false```)

--- a/docs/content/reference/static-configuration/file.toml
+++ b/docs/content/reference/static-configuration/file.toml
@@ -55,6 +55,14 @@
        [[entryPoints.EntryPoint0.http.tls.domains]]
          main = "foobar"
          sans = ["foobar", "foobar"]
+      [entryPoints.EntryPoint0.http.encodedCharacters]
+        allowEncodedSlash = true
+        allowEncodedBackSlash = true
+        allowEncodedNullCharacter = true
+        allowEncodedSemicolon = true
+        allowEncodedPercent = true
+        allowEncodedQuestionMark = true
+        allowEncodedHash = true
    [entryPoints.EntryPoint0.http2]
      maxConcurrentStreams = 42
    [entryPoints.EntryPoint0.http3]
--- a/docs/content/reference/static-configuration/file.yaml
+++ b/docs/content/reference/static-configuration/file.yaml
@@ -62,6 +62,14 @@ entryPoints:
            sans:
              - foobar
              - foobar
+      encodedCharacters:
+        allowEncodedSlash: true
+        allowEncodedBackSlash: true
+        allowEncodedNullCharacter: true
+        allowEncodedSemicolon: true
+        allowEncodedPercent: true
+        allowEncodedQuestionMark: true
+        allowEncodedHash: true
      encodeQuerySemicolons: true
      sanitizePath: true
    http2:
--- a/docs/content/routing/entrypoints.md
+++ b/docs/content/routing/entrypoints.md
@@ -127,6 +127,15 @@ They can be defined by using a file (YAML or TOML) or CLI arguments.
          trustedIPs:
            - "127.0.0.1"
            - "192.168.0.1"
+        http:
+          encodedCharacters:
+            allowEncodedSlash: true
+            allowEncodedBackSlash: true
+            allowEncodedNullCharacter: true
+            allowEncodedSemicolon: true
+            allowEncodedPercent: true
+            allowEncodedQuestionMark: true
+            allowEncodedHash: true
    ```

    ```toml tab="File (TOML)"
@@ -152,6 +161,14 @@ They can be defined by using a file (YAML or TOML) or CLI arguments.
        [entryPoints.name.forwardedHeaders]
          insecure = true
          trustedIPs = ["127.0.0.1", "192.168.0.1"]
+        [entryPoints.name.http.encodedCharacters]
+          allowEncodedSlash = true
+          allowEncodedBackSlash = true
+          allowEncodedNullCharacter = true
+          allowEncodedSemicolon = true
+          allowEncodedPercent = true
+          allowEncodedQuestionMark = true
+          allowEncodedHash = true
    ```

    ```bash tab="CLI"
@@ -168,6 +185,13 @@ They can be defined by using a file (YAML or TOML) or CLI arguments.
    --entryPoints.name.proxyProtocol.trustedIPs=127.0.0.1,192.168.0.1
    --entryPoints.name.forwardedHeaders.insecure=true
    --entryPoints.name.forwardedHeaders.trustedIPs=127.0.0.1,192.168.0.1
+    --entryPoints.name.http.encodedCharacters.allowEncodedSlash=true
+    --entryPoints.name.http.encodedCharacters.allowEncodedBackSlash=true
+    --entryPoints.name.http.encodedCharacters.allowEncodedNullCharacter=true
+    --entryPoints.name.http.encodedCharacters.allowEncodedSemicolon=true
+    --entryPoints.name.http.encodedCharacters.allowEncodedPercent=true
+    --entryPoints.name.http.encodedCharacters.allowEncodedQuestionMark=true
+    --entryPoints.name.http.encodedCharacters.allowEncodedHash=true
    ```

 ### Address
@@ -994,6 +1018,244 @@ entryPoints:
 | false                 | foo=bar&baz=bar;foo | foo=bar&baz=bar&foo     |
 | true                  | foo=bar&baz=bar;foo | foo=bar&baz=bar%3Bfoo   |

+### Encoded Characters
+
+You can configure Traefik to control the handling of encoded characters in request paths for security purposes.
+By default, Traefik rejects requests with path containing certain encoded characters that could be used in path traversal or other security attacks.
+
+!!! info 
+    
+    This check is not done against the request query parameters,
+    but only against the request path as defined in [RFC3986 section-3](https://datatracker.ietf.org/doc/html/rfc3986#section-3).
+
+!!! warning "Security Considerations"
+
+    Allowing certain encoded characters may expose your application to security vulnerabilities.
+
+??? info "`encodedCharacters.allowEncodedSlash`"
+
+    _Optional, Default=false_
+
+    Controls whether requests with encoded slash characters (`%2F` or `%2f`) in the path are allowed.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        http:
+          encodedCharacters:
+            allowEncodedSlash: true
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.http.encodedCharacters]
+          allowEncodedSlash = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.http.encodedCharacters.allowEncodedSlash=true
+    ```
+
+??? info "`encodedCharacters.allowEncodedBackSlash`"
+
+    _Optional, Default=false_
+
+    Controls whether requests with encoded back slash characters (`%5C` or `%5c`) in the path are allowed.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        http:
+          encodedCharacters:
+            allowEncodedBackSlash: true
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.http.encodedCharacters]
+          allowEncodedBackSlash = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.http.encodedCharacters.allowEncodedBackSlash=true
+    ```
+
+??? info "`encodedCharacters.allowEncodedNullCharacter`"
+
+    _Optional, Default=false_
+
+    Controls whether requests with encoded null characters (`%00`) in the path are allowed.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        http:
+          encodedCharacters:
+            allowEncodedNullCharacter: true
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.http.encodedCharacters]
+          allowEncodedNullCharacter = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.http.encodedCharacters.allowEncodedNullCharacter=true
+    ```
+
+??? info "`encodedCharacters.allowEncodedSemicolon`"
+
+    _Optional, Default=false_
+
+    Controls whether requests with encoded semicolon characters (`%3B` or `%3b`) in the path are allowed.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        http:
+          encodedCharacters:
+            allowEncodedSemicolon: true
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.http.encodedCharacters]
+          allowEncodedSemicolon = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.http.encodedCharacters.allowEncodedSemicolon=true
+    ```
+
+??? info "`encodedCharacters.allowEncodedPercent`"
+
+    _Optional, Default=false_
+
+    Controls whether requests with encoded percent characters (`%25`) in the path are allowed.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        http:
+          encodedCharacters:
+            allowEncodedPercent: true   
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.http.encodedCharacters]
+          allowEncodedPercent = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.http.encodedCharacters.allowEncodedPercent=true
+    ```
+
+??? info "`encodedCharacters.allowEncodedQuestionMark`"
+
+    _Optional, Default=false_
+
+    Controls whether requests with encoded question mark characters (`%3F` or `%3f`) in the path are allowed.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        http:
+          encodedCharacters:
+            allowEncodedQuestionMark: true
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.http.encodedCharacters]
+          allowEncodedQuestionMark = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.http.encodedCharacters.allowEncodedQuestionMark=true
+    ```
+
+??? info "`encodedCharacters.allowEncodedHash`"
+
+    _Optional, Default=false_
+
+    Controls whether requests with encoded hash characters (`%23`) in the path are allowed.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        http:    
+          encodedCharacters:
+            allowEncodedHash: true
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.http.encodedCharacters]
+          allowEncodedHash = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.http.encodedCharacters.allowEncodedHash=true
+    ```
+
 ### SanitizePath

 _Optional, Default=true_
--- a/docs/content/security/content-length.md
+++ b/docs/content/security/content-length.md
@@ -3,7 +3,8 @@ title: "Content-Length"
 description: "Enforce strict Content‑Length validation in Traefik by streaming or full buffering to prevent truncated or over‑long requests and responses. Read the technical documentation."
 ---

-Traefik acts as a streaming proxy. By default, it checks each chunk of data against the `Content-Length` header as it passes it on to the backend or client. This live check blocks truncated or over‑long streams without holding the entire message.
+Traefik acts as a streaming proxy. By default, it checks each chunk of data against the `Content-Length` header as it passes it on to the backend or client.
+This live check blocks truncated or over‑long streams without holding the entire message.

 If you need Traefik to read and verify the full body before any data moves on, add the [buffering middleware](../middlewares/http/buffering.md):

@@ -20,5 +21,7 @@ With buffering enabled, Traefik will:
 - Compare the actual byte count to the `Content-Length` header.
 - Reject the message if the counts do not match.

-!!!warning 
-    Buffering adds overhead. Every request and response is held in full before forwarding, which can increase memory use and latency. Use it when strict content validation is critical to your security posture.
+!!! warning
+
+    Buffering adds overhead. Every request and response is held in full before forwarding, which can increase memory use and latency.
+    Use it when strict content validation is critical to your security posture.
--- a/docs/content/security/request-path.md
+++ b/docs/content/security/request-path.md
@@ -0,0 +1,130 @@
+---
+title: "Request Path"
+description: "Learn how Traefik processes and secures request paths through sanitization and encoded character filtering to protect against path traversal and injection attacks."
+---
+
+# Request Path
+
+Protecting Against Path-Based Attacks Through Sanitization and Filtering
+{: .subtitle }
+
+Traefik implements multiple layers of security when processing incoming request paths.
+This includes path sanitization to normalize potentially dangerous sequences and encoded character filtering to prevent attack vectors that use URL encoding.
+Understanding how Traefik handles request paths is crucial for maintaining a secure routing infrastructure.
+
+## How Traefik Processes Request Paths
+
+When Traefik receives an HTTP request, it processes the request path through several security-focused stages:
+
+### 1. Encoded Character Filtering
+
+Traefik inspects the path for potentially dangerous encoded characters and rejects requests containing them unless explicitly allowed.
+
+Here is the list of the encoded characters that are rejected by default:
+
+| Encoded Character | Character               |
+|-------------------|-------------------------|
+| `%2f` or `%2F`    | `/` (slash)             |
+| `%5c` or `%5C`    | `\` (backslash)         |
+| `%00`             | `NULL` (null character) |
+| `%3b` or `%3B`    | `;` (semicolon)         |
+| `%25`             | `%` (percent)           |
+| `%3f` or `%3F`    | `?` (question mark)     |
+| `%23`             | `#` (hash)              |
+
+### 2. Path Normalization
+
+Traefik normalizes the request path by decoding the unreserved percent-encoded characters,
+as they are equivalent to their non-encoded form (according to [rfc3986#section-2.3](https://datatracker.ietf.org/doc/html/rfc3986#section-2.3)),
+and capitalizing the percent-encoded characters (according to [rfc3986#section-6.2.2.1](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.1)).
+
+### 3. Path Sanitization
+
+Traefik sanitizes request paths to prevent common attack vectors,
+by removing the `..`, `.` and duplicate slash segments from the URL (according to [rfc3986#section-6.2.2.3](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.3)).
+
+## Path Security Configuration
+
+Traefik provides two main mechanisms for path security that work together to protect your applications.
+
+### Path Sanitization
+
+Path sanitization is enabled by default and helps prevent directory traversal attacks by normalizing request paths.
+Configure it in the [EntryPoints](../routing/entrypoints.md#sanitizepath) HTTP section:
+
+```yaml tab="File (YAML)"
+entryPoints:
+  websecure:
+    address: ":443"
+    http:
+      sanitizePath: true  # Default: true (recommended)
+```
+
+```toml tab="File (TOML)"
+[entryPoints.websecure]
+  address = ":443"
+
+  [entryPoints.websecure.http]
+    sanitizePath = true
+```
+
+```bash tab="CLI"
+--entryPoints.websecure.address=:443
+--entryPoints.websecure.http.sanitizePath=true
+```
+
+**Sanitization behavior:**
+
+- `./foo/bar` → `/foo/bar` (removes relative current directory)
+- `/foo/../bar` → `/bar` (resolves parent directory traversal)
+- `/foo/bar//` → `/foo/bar/` (removes duplicate slashes)
+- `/./foo/../bar//` → `/bar/` (combines all normalizations)
+
+### Encoded Character Filtering
+
+Encoded character filtering provides an additional security layer by rejecting potentially dangerous URL-encoded characters.
+Configure it in the [EntryPoints](../routing/entrypoints.md#encoded-characters) HTTP section.
+
+This filtering occurs before path sanitization and catches attack attempts that use encoding to bypass other security controls.
+
+All encoded character filtering is enabled by default (`false` means encoded characters are rejected), providing maximum security:
+
+```yaml tab="File (YAML)"
+entryPoints:
+  websecure:
+    address: ":443"
+    http:
+      encodedCharacters:
+        allowEncodedSlash: false          # %2F - Default: false (RECOMMENDED)
+        allowEncodedBackSlash: false      # %5C - Default: false (RECOMMENDED)
+        allowEncodedNullCharacter: false  # %00 - Default: false (RECOMMENDED)
+        allowEncodedSemicolon: false      # %3B - Default: false (RECOMMENDED)
+        allowEncodedPercent: false        # %25 - Default: false (RECOMMENDED)
+        allowEncodedQuestionMark: false   # %3F - Default: false (RECOMMENDED)
+        allowEncodedHash: false           # %23 - Default: false (RECOMMENDED)
+```
+
+```toml tab="File (TOML)"
+[entryPoints.websecure]
+  address = ":443"
+
+  [entryPoints.websecure.http.encodedCharacters]
+    allowEncodedSlash = false
+    allowEncodedBackSlash = false
+    allowEncodedNullCharacter = false
+    allowEncodedSemicolon = false
+    allowEncodedPercent = false
+    allowEncodedQuestionMark = false
+    allowEncodedHash = false
+```
+
+```bash tab="CLI"
+--entryPoints.websecure.address=:443
+--entryPoints.websecure.http.encodedCharacters.allowEncodedSlash=false
+--entryPoints.websecure.http.encodedCharacters.allowEncodedBackSlash=false
+--entryPoints.websecure.http.encodedCharacters.allowEncodedNullCharacter=false
+--entryPoints.websecure.http.encodedCharacters.allowEncodedSemicolon=false
+--entryPoints.websecure.http.encodedCharacters.allowEncodedPercent=false
+--entryPoints.websecure.http.encodedCharacters.allowEncodedQuestionMark=false
+--entryPoints.websecure.http.encodedCharacters.allowEncodedHash=false
+```
--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@@ -167,6 +167,7 @@ nav:
          - 'Elastic': 'observability/tracing/elastic.md'
          - 'OpenTelemetry': 'observability/tracing/opentelemetry.md'
  - 'Security':
+        - 'Request Path': 'security/request-path.md'
        - 'Content-Length': 'security/content-length.md'
        - 'TLS in Multi-Tenant Kubernetes': 'security/tls-certs-in-multi-tenant-kubernetes.md'
  - 'User Guides':
--- a/go.mod
+++ b/go.mod
@@ -57,10 +57,10 @@ require (
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // No tag on the repo.
 	github.com/prometheus/client_golang v1.22.0
 	github.com/prometheus/client_model v0.6.1
-	github.com/quic-go/quic-go v0.55.0
+	github.com/quic-go/quic-go v0.57.1
 	github.com/rancher/go-rancher-metadata v0.0.0-20200311180630-7f4c936a06ac // No tag on the repo.
 	github.com/sirupsen/logrus v1.9.3
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 	github.com/stvp/go-udp-testing v0.0.0-20191102171040-06b61409b154 // No tag on the repo.
 	github.com/testcontainers/testcontainers-go v0.32.0
 	github.com/traefik/paerser v0.2.2
@@ -73,11 +73,11 @@ require (
 	github.com/vulcand/predicate v1.2.0
 	go.elastic.co/apm/module/apmot/v2 v2.4.8
 	go.elastic.co/apm/v2 v2.4.8
-	golang.org/x/mod v0.28.0
-	golang.org/x/net v0.46.0
-	golang.org/x/text v0.30.0
+	golang.org/x/mod v0.29.0
+	golang.org/x/net v0.47.0
+	golang.org/x/text v0.31.0
 	golang.org/x/time v0.12.0
-	golang.org/x/tools v0.37.0
+	golang.org/x/tools v0.38.0
 	google.golang.org/grpc v1.73.0
 	gopkg.in/DataDog/dd-trace-go.v1 v1.74.6
 	gopkg.in/yaml.v3 v3.0.1
@@ -312,7 +312,7 @@ require (
 	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/puzpuzpuz/xsync/v3 v3.5.1 // indirect
-	github.com/quic-go/qpack v0.5.1 // indirect
+	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/redis/go-redis/v9 v9.8.0 // indirect
 	github.com/regfish/regfish-dnsapi-go v0.1.1 // indirect
 	github.com/sacloud/api-client-go v0.3.2 // indirect
@@ -380,12 +380,12 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/ratelimit v0.3.1 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.43.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.37.0 // indirect
-	golang.org/x/term v0.36.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	google.golang.org/api v0.242.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
--- a/go.sum
+++ b/go.sum
@@ -1252,10 +1252,10 @@ github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlT
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/puzpuzpuz/xsync/v3 v3.5.1 h1:GJYJZwO6IdxN/IKbneznS6yPkVC+c3zyY/j19c++5Fg=
 github.com/puzpuzpuz/xsync/v3 v3.5.1/go.mod h1:VjzYrABPabuM4KyBh1Ftq6u8nhwY5tBPKP9jpmh0nnA=
-github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
-github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
-github.com/quic-go/quic-go v0.55.0 h1:zccPQIqYCXDt5NmcEabyYvOnomjs8Tlwl7tISjJh9Mk=
-github.com/quic-go/quic-go v0.55.0/go.mod h1:DR51ilwU1uE164KuWXhinFcKWGlEjzys2l8zUl5Ss1U=
+github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
+github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
+github.com/quic-go/quic-go v0.57.1 h1:25KAAR9QR8KZrCZRThWMKVAwGoiHIrNbT72ULHTuI10=
+github.com/quic-go/quic-go v0.57.1/go.mod h1:ly4QBAjHA2VhdnxhojRsCUOeJwKYg+taDlos92xb1+s=
 github.com/rancher/go-rancher-metadata v0.0.0-20200311180630-7f4c936a06ac h1:wBGhHdXKICZmvAPWS8gQoMyOWDH7QAi9bU4Z1nDWnFU=
 github.com/rancher/go-rancher-metadata v0.0.0-20200311180630-7f4c936a06ac/go.mod h1:67sLWL17mVlO1HFROaTBmU71NB4R8UNCesFHhg0f6LQ=
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
@@ -1392,8 +1392,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/stvp/go-udp-testing v0.0.0-20191102171040-06b61409b154 h1:XGopsea1Dw7ecQ8JscCNQXDGYAKDiWjDeXnpN/+BY9g=
 github.com/stvp/go-udp-testing v0.0.0-20191102171040-06b61409b154/go.mod h1:7jxmlfBCDBXRzr0eAQJ48XC1hBu1np4CS5+cHEYfwpc=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
@@ -1647,8 +1647,8 @@ golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDf
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
-golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
-golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -1696,8 +1696,8 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U=
-golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1766,8 +1766,8 @@ golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
-golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
-golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1799,8 +1799,8 @@ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1911,8 +1911,8 @@ golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
-golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -1930,8 +1930,8 @@ golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
-golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q=
-golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1950,8 +1950,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
-golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
-golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -2033,8 +2033,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.37.0 h1:DVSRzp7FwePZW356yEAChSdNcQo6Nsp+fex1SUW09lE=
-golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/integration/fixtures/simple_deny.toml
+++ b/integration/fixtures/simple_deny.toml
@@ -0,0 +1,20 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[api]
+  insecure = true
+
+[entryPoints]
+  [entryPoints.web]
+    address = ":8000"
+
+[providers.file]
+  filename = "{{ .SelfFilename }}"
+
+## dynamic configuration ##
+
+[http.routers]
+  [http.routers.router]
+    service = "noop@internal"
+    rule = "Host(`deny.localhost`)"
--- a/integration/fixtures/websocket/config.toml
+++ b/integration/fixtures/websocket/config.toml
@@ -8,6 +8,8 @@
 [entryPoints]
  [entryPoints.web]
    address = ":8000"
+    [entryPoints.web.http.encodedCharacters]
+        allowEncodedSlash = true

 [api]
  insecure = true
--- a/integration/simple_test.go
+++ b/integration/simple_test.go
@@ -1369,16 +1369,15 @@ func (s *SimpleSuite) TestDenyFragment() {
 	s.composeUp()
 	defer s.composeDown()

-	s.traefikCmd(withConfigFile("fixtures/simple_default.toml"))
+	s.traefikCmd(withConfigFile(s.adaptFile("fixtures/simple_deny.toml", struct{}{})))

-	// Expected a 404 as we did not configure anything
-	err := try.GetRequest("http://127.0.0.1:8000/", 1*time.Second, try.StatusCodeIs(http.StatusNotFound))
+	err := try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`deny.localhost`)"))
 	require.NoError(s.T(), err)

 	conn, err := net.Dial("tcp", "127.0.0.1:8000")
 	require.NoError(s.T(), err)

-	_, err = conn.Write([]byte("GET /#/?bar=toto;boo=titi HTTP/1.1\nHost: other.localhost\n\n"))
+	_, err = conn.Write([]byte("GET /#/?bar=toto;boo=titi HTTP/1.1\nHost: deny.localhost\n\n"))
 	require.NoError(s.T(), err)

 	resp, err := http.ReadResponse(bufio.NewReader(conn), nil)
--- a/pkg/api/testdata/entrypoint-bar.json
+++ b/pkg/api/testdata/entrypoint-bar.json
@@ -1,5 +1,7 @@
 {
 	"address": ":81",
-	"http": {},
+	"http": {
+		"encodedCharacters": {}
+	},
 	"name": "bar"
-}
+}
--- a/pkg/api/testdata/entrypoint-foo-slash-bar.json
+++ b/pkg/api/testdata/entrypoint-foo-slash-bar.json
@@ -1,5 +1,7 @@
 {
 	"address": ":81",
-	"http": {},
+	"http": {
+		"encodedCharacters": {}
+	},
 	"name": "foo / bar"
 }
--- a/pkg/api/testdata/entrypoints-many-lastpage.json
+++ b/pkg/api/testdata/entrypoints-many-lastpage.json
@@ -1,27 +1,37 @@
 [
 	{
 		"address": ":14",
-		"http": {},
+		"http": {
+			"encodedCharacters": {}
+		},
 		"name": "ep14"
 	},
 	{
 		"address": ":15",
-		"http": {},
+		"http": {
+			"encodedCharacters": {}
+		},
 		"name": "ep15"
 	},
 	{
 		"address": ":16",
-		"http": {},
+		"http": {
+			"encodedCharacters": {}
+		},
 		"name": "ep16"
 	},
 	{
 		"address": ":17",
-		"http": {},
+		"http": {
+			"encodedCharacters": {}
+		},
 		"name": "ep17"
 	},
 	{
 		"address": ":18",
-		"http": {},
+		"http": {
+			"encodedCharacters": {}
+		},
 		"name": "ep18"
 	}
-]
+]
--- a/pkg/api/testdata/entrypoints-page2.json
+++ b/pkg/api/testdata/entrypoints-page2.json
@@ -1,7 +1,9 @@
 [
 	{
 		"address": ":82",
-		"http": {},
+		"http": {
+			"encodedCharacters": {}
+		},
 		"name": "web2"
 	}
-]
+]
--- a/pkg/api/testdata/entrypoints.json
+++ b/pkg/api/testdata/entrypoints.json
@@ -8,7 +8,9 @@
 				"192.168.1.4"
 			]
 		},
-		"http": {},
+		"http": {
+			"encodedCharacters": {}
+		},
 		"name": "web",
 		"proxyProtocol": {
 			"insecure": true,
@@ -38,7 +40,9 @@
 				"192.168.1.40"
 			]
 		},
-		"http": {},
+		"http": {
+			"encodedCharacters": {}
+		},
 		"name": "websecure",
 		"proxyProtocol": {
 			"insecure": true,
--- a/pkg/config/static/entrypoints.go
+++ b/pkg/config/static/entrypoints.go
@@ -59,11 +59,12 @@ func (ep *EntryPoint) SetDefaults() {

 // HTTPConfig is the HTTP configuration of an entry point.
 type HTTPConfig struct {
-	Redirections          *Redirections `description:"Set of redirection" json:"redirections,omitempty" toml:"redirections,omitempty" yaml:"redirections,omitempty" export:"true"`
-	Middlewares           []string      `description:"Default middlewares for the routers linked to the entry point." json:"middlewares,omitempty" toml:"middlewares,omitempty" yaml:"middlewares,omitempty" export:"true"`
-	TLS                   *TLSConfig    `description:"Default TLS configuration for the routers linked to the entry point." json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
-	EncodeQuerySemicolons bool          `description:"Defines whether request query semicolons should be URLEncoded." json:"encodeQuerySemicolons,omitempty" toml:"encodeQuerySemicolons,omitempty" yaml:"encodeQuerySemicolons,omitempty" export:"true"`
-	SanitizePath          *bool         `description:"Defines whether to enable request path sanitization (removal of /./, /../ and multiple slash sequences)." json:"sanitizePath,omitempty" toml:"sanitizePath,omitempty" yaml:"sanitizePath,omitempty" export:"true"`
+	Redirections          *Redirections     `description:"Set of redirection" json:"redirections,omitempty" toml:"redirections,omitempty" yaml:"redirections,omitempty" export:"true"`
+	Middlewares           []string          `description:"Default middlewares for the routers linked to the entry point." json:"middlewares,omitempty" toml:"middlewares,omitempty" yaml:"middlewares,omitempty" export:"true"`
+	TLS                   *TLSConfig        `description:"Default TLS configuration for the routers linked to the entry point." json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
+	EncodedCharacters     EncodedCharacters `description:"Defines which encoded characters are allowed in the request path." json:"encodedCharacters,omitempty" toml:"encodedCharacters,omitempty" yaml:"encodedCharacters,omitempty" export:"true"`
+	EncodeQuerySemicolons bool              `description:"Defines whether request query semicolons should be URLEncoded." json:"encodeQuerySemicolons,omitempty" toml:"encodeQuerySemicolons,omitempty" yaml:"encodeQuerySemicolons,omitempty" export:"true"`
+	SanitizePath          *bool             `description:"Defines whether to enable request path sanitization (removal of /./, /../ and multiple slash sequences)." json:"sanitizePath,omitempty" toml:"sanitizePath,omitempty" yaml:"sanitizePath,omitempty" export:"true"`
 }

 // SetDefaults sets the default values.
@@ -72,6 +73,50 @@ func (h *HTTPConfig) SetDefaults() {
 	h.SanitizePath = &sanitizePath
 }

+// EncodedCharacters configures which encoded characters are allowed in the request path.
+type EncodedCharacters struct {
+	AllowEncodedSlash         bool `description:"Defines whether requests with encoded slash characters in the path are allowed." json:"allowEncodedSlash,omitempty" toml:"allowEncodedSlash,omitempty" yaml:"allowEncodedSlash,omitempty" export:"true"`
+	AllowEncodedBackSlash     bool `description:"Defines whether requests with encoded back slash characters in the path are allowed." json:"allowEncodedBackSlash,omitempty" toml:"allowEncodedBackSlash,omitempty" yaml:"allowEncodedBackSlash,omitempty" export:"true"`
+	AllowEncodedNullCharacter bool `description:"Defines whether requests with encoded null characters in the path are allowed." json:"allowEncodedNullCharacter,omitempty" toml:"allowEncodedNullCharacter,omitempty" yaml:"allowEncodedNullCharacter,omitempty" export:"true"`
+	AllowEncodedSemicolon     bool `description:"Defines whether requests with encoded semicolon characters in the path are allowed." json:"allowEncodedSemicolon,omitempty" toml:"allowEncodedSemicolon,omitempty" yaml:"allowEncodedSemicolon,omitempty" export:"true"`
+	AllowEncodedPercent       bool `description:"Defines whether requests with encoded percent characters in the path are allowed." json:"allowEncodedPercent,omitempty" toml:"allowEncodedPercent,omitempty" yaml:"allowEncodedPercent,omitempty" export:"true"`
+	AllowEncodedQuestionMark  bool `description:"Defines whether requests with encoded question mark characters in the path are allowed." json:"allowEncodedQuestionMark,omitempty" toml:"allowEncodedQuestionMark,omitempty" yaml:"allowEncodedQuestionMark,omitempty" export:"true"`
+	AllowEncodedHash          bool `description:"Defines whether requests with encoded hash characters in the path are allowed." json:"allowEncodedHash,omitempty" toml:"allowEncodedHash,omitempty" yaml:"allowEncodedHash,omitempty" export:"true"`
+}
+
+// Map returns a map of unallowed encoded characters.
+func (h *EncodedCharacters) Map() map[string]struct{} {
+	characters := make(map[string]struct{})
+
+	if !h.AllowEncodedSlash {
+		characters["%2F"] = struct{}{}
+		characters["%2f"] = struct{}{}
+	}
+	if !h.AllowEncodedBackSlash {
+		characters["%5C"] = struct{}{}
+		characters["%5c"] = struct{}{}
+	}
+	if !h.AllowEncodedNullCharacter {
+		characters["%00"] = struct{}{}
+	}
+	if !h.AllowEncodedSemicolon {
+		characters["%3B"] = struct{}{}
+		characters["%3b"] = struct{}{}
+	}
+	if !h.AllowEncodedPercent {
+		characters["%25"] = struct{}{}
+	}
+	if !h.AllowEncodedQuestionMark {
+		characters["%3F"] = struct{}{}
+		characters["%3f"] = struct{}{}
+	}
+	if !h.AllowEncodedHash {
+		characters["%23"] = struct{}{}
+	}
+
+	return characters
+}
+
 // HTTP2Config is the HTTP2 configuration of an entry point.
 type HTTP2Config struct {
 	MaxConcurrentStreams int32 `description:"Specifies the number of concurrent streams per connection that each client is allowed to initiate." json:"maxConcurrentStreams,omitempty" toml:"maxConcurrentStreams,omitempty" yaml:"maxConcurrentStreams,omitempty" export:"true"`
--- a/pkg/config/static/entrypoints_test.go
+++ b/pkg/config/static/entrypoints_test.go
@@ -65,3 +65,161 @@ func TestEntryPointProtocol(t *testing.T) {
 		})
 	}
 }
+
+func TestEncodedCharactersMap(t *testing.T) {
+	tests := []struct {
+		name     string
+		config   EncodedCharacters
+		expected map[string]struct{}
+	}{
+		{
+			name: "Handles empty configuration",
+			expected: map[string]struct{}{
+				"%2F": {},
+				"%2f": {},
+				"%5C": {},
+				"%5c": {},
+				"%00": {},
+				"%3B": {},
+				"%3b": {},
+				"%25": {},
+				"%3F": {},
+				"%3f": {},
+				"%23": {},
+			},
+		},
+		{
+			name: "Exclude encoded slash when allowed",
+			config: EncodedCharacters{
+				AllowEncodedSlash: true,
+			},
+			expected: map[string]struct{}{
+				"%5C": {},
+				"%5c": {},
+				"%00": {},
+				"%3B": {},
+				"%3b": {},
+				"%25": {},
+				"%3F": {},
+				"%3f": {},
+				"%23": {},
+			},
+		},
+
+		{
+			name: "Exclude encoded backslash when allowed",
+			config: EncodedCharacters{
+				AllowEncodedBackSlash: true,
+			},
+			expected: map[string]struct{}{
+				"%2F": {},
+				"%2f": {},
+				"%00": {},
+				"%3B": {},
+				"%3b": {},
+				"%25": {},
+				"%3F": {},
+				"%3f": {},
+				"%23": {},
+			},
+		},
+
+		{
+			name: "Exclude encoded null character when allowed",
+			config: EncodedCharacters{
+				AllowEncodedNullCharacter: true,
+			},
+			expected: map[string]struct{}{
+				"%2F": {},
+				"%2f": {},
+				"%5C": {},
+				"%5c": {},
+				"%3B": {},
+				"%3b": {},
+				"%25": {},
+				"%3F": {},
+				"%3f": {},
+				"%23": {},
+			},
+		},
+		{
+			name: "Exclude encoded semicolon when allowed",
+			config: EncodedCharacters{
+				AllowEncodedSemicolon: true,
+			},
+			expected: map[string]struct{}{
+				"%2F": {},
+				"%2f": {},
+				"%5C": {},
+				"%5c": {},
+				"%00": {},
+				"%25": {},
+				"%3F": {},
+				"%3f": {},
+				"%23": {},
+			},
+		},
+		{
+			name: "Exclude encoded percent when allowed",
+			config: EncodedCharacters{
+				AllowEncodedPercent: true,
+			},
+			expected: map[string]struct{}{
+				"%2F": {},
+				"%2f": {},
+				"%5C": {},
+				"%5c": {},
+				"%00": {},
+				"%3B": {},
+				"%3b": {},
+				"%3F": {},
+				"%3f": {},
+				"%23": {},
+			},
+		},
+		{
+			name: "Exclude encoded question mark when allowed",
+			config: EncodedCharacters{
+				AllowEncodedQuestionMark: true,
+			},
+			expected: map[string]struct{}{
+				"%2F": {},
+				"%2f": {},
+				"%5C": {},
+				"%5c": {},
+				"%00": {},
+				"%3B": {},
+				"%3b": {},
+				"%25": {},
+				"%23": {},
+			},
+		},
+		{
+			name: "Exclude encoded hash when allowed",
+			config: EncodedCharacters{
+				AllowEncodedHash: true,
+			},
+			expected: map[string]struct{}{
+				"%2F": {},
+				"%2f": {},
+				"%5C": {},
+				"%5c": {},
+				"%00": {},
+				"%3B": {},
+				"%3b": {},
+				"%25": {},
+				"%3F": {},
+				"%3f": {},
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
+			result := test.config.Map()
+			require.Equal(t, test.expected, result)
+		})
+	}
+}
--- a/pkg/plugins/plugins.go
+++ b/pkg/plugins/plugins.go
@@ -8,6 +8,7 @@ import (

 	"github.com/hashicorp/go-multierror"
 	"github.com/traefik/traefik/v2/pkg/log"
+	"golang.org/x/mod/module"
 )

 const localGoPath = "./plugins-local/"
@@ -68,24 +69,18 @@ func checkRemotePluginsConfiguration(plugins map[string]Descriptor) error {

 	var errs []string
 	for pAlias, descriptor := range plugins {
-		if descriptor.ModuleName == "" {
-			errs = append(errs, fmt.Sprintf("%s: plugin name is missing", pAlias))
+		if err := module.CheckPath(descriptor.ModuleName); err != nil {
+			errs = append(errs, fmt.Sprintf("%s: malformed plugin module name is missing: %s", pAlias, err))
 		}

 		if descriptor.Version == "" {
 			errs = append(errs, fmt.Sprintf("%s: plugin version is missing", pAlias))
 		}

-		if strings.HasPrefix(descriptor.ModuleName, "/") || strings.HasSuffix(descriptor.ModuleName, "/") {
-			errs = append(errs, fmt.Sprintf("%s: plugin name should not start or end with a /", pAlias))
-			continue
-		}
-
 		if _, ok := uniq[descriptor.ModuleName]; ok {
 			errs = append(errs, fmt.Sprintf("only one version of a plugin is allowed, there is a duplicate of %s", descriptor.ModuleName))
 			continue
 		}
-
 		uniq[descriptor.ModuleName] = struct{}{}
 	}

--- a/pkg/plugins/plugins_test.go
+++ b/pkg/plugins/plugins_test.go
@@ -0,0 +1,85 @@
+package plugins
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_checkRemotePluginsConfiguration(t *testing.T) {
+	testCases := []struct {
+		name    string
+		plugins map[string]Descriptor
+		wantErr bool
+	}{
+		{
+			name:    "nil plugins configuration returns no error",
+			plugins: nil,
+			wantErr: false,
+		},
+		{
+			name: "malformed module name returns error",
+			plugins: map[string]Descriptor{
+				"plugin1": {ModuleName: "invalid/module/name", Version: "v1.0.0"},
+			},
+			wantErr: true,
+		},
+		{
+			name: "malformed module name with path traversal returns error",
+			plugins: map[string]Descriptor{
+				"plugin1": {ModuleName: "github.com/module/../name", Version: "v1.0.0"},
+			},
+			wantErr: true,
+		},
+		{
+			name: "malformed module name with encoded path traversal returns error",
+			plugins: map[string]Descriptor{
+				"plugin1": {ModuleName: "github.com/module%2F%2E%2E%2Fname", Version: "v1.0.0"},
+			},
+			wantErr: true,
+		},
+		{
+			name: "malformed module name returns error",
+			plugins: map[string]Descriptor{
+				"plugin1": {ModuleName: "invalid/module/name", Version: "v1.0.0"},
+			},
+			wantErr: true,
+		},
+		{
+			name: "missing plugin version returns error",
+			plugins: map[string]Descriptor{
+				"plugin1": {ModuleName: "github.com/module/name", Version: ""},
+			},
+			wantErr: true,
+		},
+		{
+			name: "duplicate plugin module name returns error",
+			plugins: map[string]Descriptor{
+				"plugin1": {ModuleName: "github.com/module/name", Version: "v1.0.0"},
+				"plugin2": {ModuleName: "github.com/module/name", Version: "v1.1.0"},
+			},
+			wantErr: true,
+		},
+		{
+			name: "valid plugins configuration returns no error",
+			plugins: map[string]Descriptor{
+				"plugin1": {ModuleName: "github.com/module/name1", Version: "v1.0.0"},
+				"plugin2": {ModuleName: "github.com/module/name2", Version: "v1.1.0"},
+			},
+			wantErr: false,
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
+			err := checkRemotePluginsConfiguration(test.plugins)
+			if test.wantErr {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
--- a/pkg/provider/docker/docker.go
+++ b/pkg/provider/docker/docker.go
@@ -33,14 +33,6 @@ import (
 	"github.com/traefik/traefik/v2/pkg/version"
 )

-const (
-	// DockerAPIVersion is a constant holding the version of the Provider API traefik will use.
-	DockerAPIVersion = "1.24"
-
-	// SwarmAPIVersion is a constant holding the version of the Provider API traefik will use.
-	SwarmAPIVersion = "1.24"
-)
-
 // DefaultTemplateRule The default template for the default rule.
 const DefaultTemplateRule = "Host(`{{ normalize .Name }}`)"

@@ -121,13 +113,10 @@ func (p *Provider) createClient() (client.APIClient, error) {
 	httpHeaders := map[string]string{
 		"User-Agent": "Traefik " + version.Version,
 	}
-	opts = append(opts, client.WithHTTPHeaders(httpHeaders))
-
-	apiVersion := DockerAPIVersion
-	if p.SwarmMode {
-		apiVersion = SwarmAPIVersion
-	}
-	opts = append(opts, client.WithVersion(apiVersion))
+	opts = append(opts,
+		client.FromEnv,
+		client.WithAPIVersionNegotiation(),
+		client.WithHTTPHeaders(httpHeaders))

 	return client.NewClientWithOpts(opts...)
 }
--- a/pkg/redactor/testdata/anonymized-static-config.json
+++ b/pkg/redactor/testdata/anonymized-static-config.json
@@ -70,7 +70,8 @@
              ]
            }
          ]
-        }
+        },
+        "encodedCharacters": {}
      }
    }
  },
--- a/pkg/server/router/deny.go
+++ b/pkg/server/router/deny.go
@@ -0,0 +1,62 @@
+package router
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/traefik/traefik/v2/pkg/log"
+)
+
+// denyFragment rejects the request if the URL path contains a fragment (hash character).
+// When go receives an HTTP request, it assumes the absence of fragment URL.
+// However, it is still possible to send a fragment in the request.
+// In this case, Traefik will encode the '#' character, altering the request's intended meaning.
+// To avoid this behavior, the following function rejects requests that include a fragment in the URL.
+func denyFragment(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
+		if strings.Contains(req.URL.RawPath, "#") {
+			log.WithoutContext().Debugf("Rejecting request because it contains a fragment in the URL path: %s", req.URL.RawPath)
+			rw.WriteHeader(http.StatusBadRequest)
+
+			return
+		}
+
+		h.ServeHTTP(rw, req)
+	})
+}
+
+// denyEncodedPathCharacters reject the request if the escaped path contains encoded characters in the given list.
+func denyEncodedPathCharacters(encodedCharacters map[string]struct{}, h http.Handler) http.Handler {
+	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
+		if len(encodedCharacters) == 0 {
+			h.ServeHTTP(rw, req)
+			return
+		}
+
+		escapedPath := req.URL.EscapedPath()
+
+		for i := 0; i < len(escapedPath); i++ {
+			if escapedPath[i] != '%' {
+				continue
+			}
+
+			// This should never happen as the standard library will reject requests containing invalid percent-encodings.
+			// This discards URLs with a percent character at the end.
+			if i+2 >= len(escapedPath) {
+				rw.WriteHeader(http.StatusBadRequest)
+				return
+			}
+
+			// This rejects a request with a path containing the given encoded characters.
+			if _, exists := encodedCharacters[escapedPath[i:i+3]]; exists {
+				log.WithoutContext().Debugf("Rejecting request because it contains encoded character %s in the URL path: %s", escapedPath[i:i+3], escapedPath)
+				rw.WriteHeader(http.StatusBadRequest)
+				return
+			}
+
+			i += 2
+		}
+
+		h.ServeHTTP(rw, req)
+	})
+}
--- a/pkg/server/router/deny_test.go
+++ b/pkg/server/router/deny_test.go
@@ -0,0 +1,98 @@
+package router
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_denyFragment(t *testing.T) {
+	tests := []struct {
+		name       string
+		url        string
+		wantStatus int
+	}{
+		{
+			name:       "Rejects fragment character",
+			url:        "http://example.com/#",
+			wantStatus: http.StatusBadRequest,
+		},
+		{
+			name:       "Allows without fragment",
+			url:        "http://example.com/",
+			wantStatus: http.StatusOK,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
+			handler := denyFragment(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusOK)
+			}))
+
+			req := httptest.NewRequest(http.MethodGet, test.url, nil)
+			res := httptest.NewRecorder()
+
+			handler.ServeHTTP(res, req)
+
+			assert.Equal(t, test.wantStatus, res.Code)
+		})
+	}
+}
+
+func Test_denyEncodedPathCharacters(t *testing.T) {
+	tests := []struct {
+		name       string
+		encoded    map[string]struct{}
+		url        string
+		wantStatus int
+	}{
+		{
+			name: "Rejects disallowed characters",
+			encoded: map[string]struct{}{
+				"%0A": {},
+				"%0D": {},
+			},
+			url:        "http://example.com/foo%0Abar",
+			wantStatus: http.StatusBadRequest,
+		},
+		{
+			name: "Allows valid paths",
+			encoded: map[string]struct{}{
+				"%0A": {},
+				"%0D": {},
+			},
+			url:        "http://example.com/foo%20bar",
+			wantStatus: http.StatusOK,
+		},
+		{
+			name: "Handles empty path",
+			encoded: map[string]struct{}{
+				"%0A": {},
+			},
+			url:        "http://example.com/",
+			wantStatus: http.StatusOK,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
+			handler := denyEncodedPathCharacters(test.encoded, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusOK)
+			}))
+
+			req := httptest.NewRequest(http.MethodGet, test.url, nil)
+			res := httptest.NewRecorder()
+
+			handler.ServeHTTP(res, req)
+
+			assert.Equal(t, test.wantStatus, res.Code)
+		})
+	}
+}
--- a/pkg/server/router/router.go
+++ b/pkg/server/router/router.go
@@ -36,25 +36,34 @@ type serviceManager interface {

 // Manager A route/router manager.
 type Manager struct {
-	routerHandlers     map[string]http.Handler
-	serviceManager     serviceManager
-	metricsRegistry    metrics.Registry
-	middlewaresBuilder middlewareBuilder
-	chainBuilder       *middleware.ChainBuilder
-	conf               *runtime.Configuration
-	tlsManager         *tls.Manager
+	routerHandlers              map[string]http.Handler
+	serviceManager              serviceManager
+	metricsRegistry             metrics.Registry
+	middlewaresBuilder          middlewareBuilder
+	chainBuilder                *middleware.ChainBuilder
+	conf                        *runtime.Configuration
+	tlsManager                  *tls.Manager
+	deniedEncodedPathCharacters map[string]map[string]struct{}
 }

 // NewManager creates a new Manager.
-func NewManager(conf *runtime.Configuration, serviceManager serviceManager, middlewaresBuilder middlewareBuilder, chainBuilder *middleware.ChainBuilder, metricsRegistry metrics.Registry, tlsManager *tls.Manager) *Manager {
+func NewManager(conf *runtime.Configuration,
+	serviceManager serviceManager,
+	middlewaresBuilder middlewareBuilder,
+	chainBuilder *middleware.ChainBuilder,
+	metricsRegistry metrics.Registry,
+	tlsManager *tls.Manager,
+	deniedEncodedPathCharacters map[string]map[string]struct{},
+) *Manager {
 	return &Manager{
-		routerHandlers:     make(map[string]http.Handler),
-		serviceManager:     serviceManager,
-		metricsRegistry:    metricsRegistry,
-		middlewaresBuilder: middlewaresBuilder,
-		chainBuilder:       chainBuilder,
-		conf:               conf,
-		tlsManager:         tlsManager,
+		routerHandlers:              make(map[string]http.Handler),
+		serviceManager:              serviceManager,
+		metricsRegistry:             metricsRegistry,
+		middlewaresBuilder:          middlewaresBuilder,
+		chainBuilder:                chainBuilder,
+		conf:                        conf,
+		tlsManager:                  tlsManager,
+		deniedEncodedPathCharacters: deniedEncodedPathCharacters,
 	}
 }

@@ -73,7 +82,7 @@ func (m *Manager) BuildHandlers(rootCtx context.Context, entryPoints []string, t
 	for entryPointName, routers := range m.getHTTPRouters(rootCtx, entryPoints, tls) {
 		ctx := log.With(rootCtx, log.Str(log.EntryPointName, entryPointName))

-		handler, err := m.buildEntryPointHandler(ctx, routers)
+		handler, err := m.buildEntryPointHandler(ctx, entryPointName, routers)
 		if err != nil {
 			log.FromContext(ctx).Error(err)
 			continue
@@ -109,7 +118,7 @@ func (m *Manager) BuildHandlers(rootCtx context.Context, entryPoints []string, t
 	return entryPointHandlers
 }

-func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string]*runtime.RouterInfo) (http.Handler, error) {
+func (m *Manager) buildEntryPointHandler(ctx context.Context, entryPointName string, configs map[string]*runtime.RouterInfo) (http.Handler, error) {
 	muxer, err := httpmuxer.NewMuxer()
 	if err != nil {
 		return nil, err
@@ -126,7 +135,7 @@ func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string
 			continue
 		}

-		handler, err := m.buildRouterHandler(ctxRouter, routerName, routerConfig)
+		handler, err := m.buildRouterHandler(ctxRouter, entryPointName, routerName, routerConfig)
 		if err != nil {
 			routerConfig.AddError(err, true)
 			logger.Error(err)
@@ -151,7 +160,7 @@ func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string
 	return chain.Then(muxer)
 }

-func (m *Manager) buildRouterHandler(ctx context.Context, routerName string, routerConfig *runtime.RouterInfo) (http.Handler, error) {
+func (m *Manager) buildRouterHandler(ctx context.Context, entryPointName, routerName string, routerConfig *runtime.RouterInfo) (http.Handler, error) {
 	if handler, ok := m.routerHandlers[routerName]; ok {
 		return handler, nil
 	}
@@ -167,7 +176,7 @@ func (m *Manager) buildRouterHandler(ctx context.Context, routerName string, rou
 		}
 	}

-	handler, err := m.buildHTTPHandler(ctx, routerConfig, routerName)
+	handler, err := m.buildHTTPHandler(ctx, routerConfig, entryPointName, routerName)
 	if err != nil {
 		return nil, err
 	}
@@ -185,7 +194,7 @@ func (m *Manager) buildRouterHandler(ctx context.Context, routerName string, rou
 	return m.routerHandlers[routerName], nil
 }

-func (m *Manager) buildHTTPHandler(ctx context.Context, router *runtime.RouterInfo, routerName string) (http.Handler, error) {
+func (m *Manager) buildHTTPHandler(ctx context.Context, router *runtime.RouterInfo, entryPointName, routerName string) (http.Handler, error) {
 	var qualifiedNames []string
 	for _, name := range router.Middlewares {
 		qualifiedNames = append(qualifiedNames, provider.GetQualifiedName(ctx, name))
@@ -217,6 +226,15 @@ func (m *Manager) buildHTTPHandler(ctx context.Context, router *runtime.RouterIn
 		chain = chain.Append(denyrouterrecursion.WrapHandler(routerName))
 	}

+	// Here we are adding deny handlers for encoded path characters and fragment.
+	// Deny handler are only added for root routers, child routers are protected by their parent router deny handlers.
+	chain = chain.Append(func(next http.Handler) (http.Handler, error) {
+		return denyFragment(next), nil
+	})
+	chain = chain.Append(func(next http.Handler) (http.Handler, error) {
+		return denyEncodedPathCharacters(m.deniedEncodedPathCharacters[entryPointName], next), nil
+	})
+
 	return chain.Extend(*mHandler).Append(tHandler).Then(sHandler)
 }

--- a/pkg/server/router/router_test.go
+++ b/pkg/server/router/router_test.go
@@ -13,6 +13,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"github.com/traefik/traefik/v2/pkg/config/dynamic"
 	"github.com/traefik/traefik/v2/pkg/config/runtime"
+	"github.com/traefik/traefik/v2/pkg/config/static"
 	"github.com/traefik/traefik/v2/pkg/metrics"
 	"github.com/traefik/traefik/v2/pkg/middlewares/accesslog"
 	"github.com/traefik/traefik/v2/pkg/middlewares/capture"
@@ -319,7 +320,7 @@ func TestRouterManager_Get(t *testing.T) {
 			chainBuilder := middleware.NewChainBuilder(nil, nil, nil)
 			tlsManager := tls.NewManager()

-			routerManager := NewManager(rtConf, serviceManager, middlewaresBuilder, chainBuilder, metrics.NewVoidRegistry(), tlsManager)
+			routerManager := NewManager(rtConf, serviceManager, middlewaresBuilder, chainBuilder, metrics.NewVoidRegistry(), tlsManager, nil)

 			handlers := routerManager.BuildHandlers(t.Context(), test.entryPoints, false)

@@ -426,7 +427,7 @@ func TestAccessLog(t *testing.T) {
 			chainBuilder := middleware.NewChainBuilder(nil, nil, nil)
 			tlsManager := tls.NewManager()

-			routerManager := NewManager(rtConf, serviceManager, middlewaresBuilder, chainBuilder, metrics.NewVoidRegistry(), tlsManager)
+			routerManager := NewManager(rtConf, serviceManager, middlewaresBuilder, chainBuilder, metrics.NewVoidRegistry(), tlsManager, nil)

 			handlers := routerManager.BuildHandlers(t.Context(), test.entryPoints, false)

@@ -814,7 +815,7 @@ func TestRuntimeConfiguration(t *testing.T) {
 			tlsManager := tls.NewManager()
 			tlsManager.UpdateConfigs(t.Context(), nil, test.tlsOptions, nil)

-			routerManager := NewManager(rtConf, serviceManager, middlewaresBuilder, chainBuilder, metrics.NewVoidRegistry(), tlsManager)
+			routerManager := NewManager(rtConf, serviceManager, middlewaresBuilder, chainBuilder, metrics.NewVoidRegistry(), tlsManager, nil)

 			_ = routerManager.BuildHandlers(t.Context(), entryPoints, false)
 			_ = routerManager.BuildHandlers(t.Context(), entryPoints, true)
@@ -891,7 +892,7 @@ func TestProviderOnMiddlewares(t *testing.T) {
 	chainBuilder := middleware.NewChainBuilder(nil, nil, nil)
 	tlsManager := tls.NewManager()

-	routerManager := NewManager(rtConf, serviceManager, middlewaresBuilder, chainBuilder, metrics.NewVoidRegistry(), tlsManager)
+	routerManager := NewManager(rtConf, serviceManager, middlewaresBuilder, chainBuilder, metrics.NewVoidRegistry(), tlsManager, nil)

 	_ = routerManager.BuildHandlers(t.Context(), entryPoints, false)

@@ -901,6 +902,124 @@ func TestProviderOnMiddlewares(t *testing.T) {
 	assert.Equal(t, []string{"m1@docker", "m2@docker", "m1@file"}, rtConf.Middlewares["chain@docker"].Chain.Middlewares)
 }

+func TestManager_BuildHandlers_Deny(t *testing.T) {
+	testCases := []struct {
+		desc               string
+		routers            map[string]*dynamic.Router
+		services           map[string]*dynamic.Service
+		requestPath        string
+		encodedCharacters  static.EncodedCharacters
+		expectedStatusCode int
+	}{
+		{
+			desc:        "unallowed request with encoded slash",
+			requestPath: "/foo%2F",
+			routers: map[string]*dynamic.Router{
+				"parent": {
+					EntryPoints: []string{"web"},
+					Rule:        "PathPrefix(`/`)",
+					Service:     "service",
+				},
+			},
+			services: map[string]*dynamic.Service{
+				"service": {
+					LoadBalancer: &dynamic.ServersLoadBalancer{
+						Servers: []dynamic.Server{{URL: "http://localhost:8080"}},
+					},
+				},
+			},
+			expectedStatusCode: http.StatusBadRequest,
+		},
+		{
+			desc:        "allowed request with encoded slash",
+			requestPath: "/foo%2F",
+			routers: map[string]*dynamic.Router{
+				"parent": {
+					EntryPoints: []string{"web"},
+					Rule:        "PathPrefix(`/`)",
+					Service:     "service",
+				},
+			},
+			services: map[string]*dynamic.Service{
+				"service": {
+					LoadBalancer: &dynamic.ServersLoadBalancer{
+						Servers: []dynamic.Server{{URL: "http://localhost:8080"}},
+					},
+				},
+			},
+			encodedCharacters: static.EncodedCharacters{
+				AllowEncodedSlash: true,
+			},
+			expectedStatusCode: http.StatusBadGateway,
+		},
+		{
+			desc:        "unallowed request with fragment",
+			requestPath: "/foo#",
+			routers: map[string]*dynamic.Router{
+				"parent": {
+					EntryPoints: []string{"web"},
+					Rule:        "PathPrefix(`/`)",
+					Service:     "service",
+				},
+			},
+			services: map[string]*dynamic.Service{
+				"service": {
+					LoadBalancer: &dynamic.ServersLoadBalancer{
+						Servers: []dynamic.Server{{URL: "http://localhost:8080"}},
+					},
+				},
+			},
+			expectedStatusCode: http.StatusBadRequest,
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.desc, func(t *testing.T) {
+			// Create runtime routers
+			runtimeRouters := make(map[string]*runtime.RouterInfo)
+			for name, router := range test.routers {
+				runtimeRouters[name] = &runtime.RouterInfo{
+					Router: router,
+				}
+			}
+
+			// Create runtime services
+			runtimeServices := make(map[string]*runtime.ServiceInfo)
+			for name, service := range test.services {
+				runtimeServices[name] = &runtime.ServiceInfo{
+					Service: service,
+				}
+			}
+
+			conf := &runtime.Configuration{
+				Routers:  runtimeRouters,
+				Services: runtimeServices,
+			}
+
+			deniedEncodedPathCharacters := map[string]map[string]struct{}{"web": test.encodedCharacters.Map()}
+			roundTripperManager := service.NewRoundTripperManager()
+			roundTripperManager.Update(map[string]*dynamic.ServersTransport{"default@internal": {}})
+			serviceManager := service.NewManager(conf.Services, nil, nil, roundTripperManager)
+			middlewaresBuilder := middleware.NewBuilder(conf.Middlewares, serviceManager, nil)
+			chainBuilder := middleware.NewChainBuilder(nil, nil, nil)
+			tlsManager := tls.NewManager()
+
+			routerManager := NewManager(conf, serviceManager, middlewaresBuilder, chainBuilder, metrics.NewVoidRegistry(), tlsManager, deniedEncodedPathCharacters)
+
+			// Build handlers
+			ctx := t.Context()
+			handlers := routerManager.BuildHandlers(ctx, []string{"web"}, false)
+
+			recorder := httptest.NewRecorder()
+			request := httptest.NewRequest(http.MethodGet, test.requestPath, http.NoBody)
+
+			handlers["web"].ServeHTTP(recorder, request)
+
+			assert.Equal(t, test.expectedStatusCode, recorder.Code)
+		})
+	}
+}
+
 type staticRoundTripperGetter struct {
 	res *http.Response
 }
@@ -960,7 +1079,7 @@ func BenchmarkRouterServe(b *testing.B) {
 	chainBuilder := middleware.NewChainBuilder(nil, nil, nil)
 	tlsManager := tls.NewManager()

-	routerManager := NewManager(rtConf, serviceManager, middlewaresBuilder, chainBuilder, metrics.NewVoidRegistry(), tlsManager)
+	routerManager := NewManager(rtConf, serviceManager, middlewaresBuilder, chainBuilder, metrics.NewVoidRegistry(), tlsManager, nil)

 	handlers := routerManager.BuildHandlers(b.Context(), entryPoints, false)

--- a/pkg/server/routerfactory.go
+++ b/pkg/server/routerfactory.go
@@ -21,9 +21,11 @@ import (

 // RouterFactory the factory of TCP/UDP routers.
 type RouterFactory struct {
-	entryPointsTCP  []string
-	entryPointsUDP  []string
-	allowACMEByPass map[string]bool
+	entryPointsTCP []string
+	entryPointsUDP []string
+
+	allowACMEByPass             map[string]bool
+	deniedEncodedPathCharacters map[string]map[string]struct{}

 	managerFactory *service.ManagerFactory

@@ -64,15 +66,21 @@ func NewRouterFactory(staticConfiguration static.Configuration, managerFactory *
 		}
 	}

+	deniedEncodedPathCharacters := map[string]map[string]struct{}{}
+	for name, ep := range staticConfiguration.EntryPoints {
+		deniedEncodedPathCharacters[name] = ep.HTTP.EncodedCharacters.Map()
+	}
+
 	return &RouterFactory{
-		entryPointsTCP:  entryPointsTCP,
-		entryPointsUDP:  entryPointsUDP,
-		managerFactory:  managerFactory,
-		metricsRegistry: metricsRegistry,
-		tlsManager:      tlsManager,
-		chainBuilder:    chainBuilder,
-		pluginBuilder:   pluginBuilder,
-		allowACMEByPass: allowACMEByPass,
+		entryPointsTCP:              entryPointsTCP,
+		entryPointsUDP:              entryPointsUDP,
+		managerFactory:              managerFactory,
+		metricsRegistry:             metricsRegistry,
+		tlsManager:                  tlsManager,
+		chainBuilder:                chainBuilder,
+		pluginBuilder:               pluginBuilder,
+		allowACMEByPass:             allowACMEByPass,
+		deniedEncodedPathCharacters: deniedEncodedPathCharacters,
 	}
 }

@@ -85,7 +93,7 @@ func (f *RouterFactory) CreateRouters(rtConf *runtime.Configuration) (map[string

 	middlewaresBuilder := middleware.NewBuilder(rtConf.Middlewares, serviceManager, f.pluginBuilder)

-	routerManager := router.NewManager(rtConf, serviceManager, middlewaresBuilder, f.chainBuilder, f.metricsRegistry, f.tlsManager)
+	routerManager := router.NewManager(rtConf, serviceManager, middlewaresBuilder, f.chainBuilder, f.metricsRegistry, f.tlsManager, f.deniedEncodedPathCharacters)

 	handlersNonTLS := routerManager.BuildHandlers(ctx, f.entryPointsTCP, false)
 	handlersTLS := routerManager.BuildHandlers(ctx, f.entryPointsTCP, true)
--- a/pkg/server/server_entrypoint_tcp.go
+++ b/pkg/server/server_entrypoint_tcp.go
@@ -606,8 +606,6 @@ func createHTTPServer(ctx context.Context, ln net.Listener, configuration *stati

 	handler = normalizePath(handler)

-	handler = denyFragment(handler)
-
 	serverHTTP := &http.Server{
 		Protocols:    &protocols,
 		Handler:      handler,
@@ -707,23 +705,6 @@ func encodeQuerySemicolons(h http.Handler) http.Handler {
 	})
 }

-// When go receives an HTTP request, it assumes the absence of fragment URL.
-// However, it is still possible to send a fragment in the request.
-// In this case, Traefik will encode the '#' character, altering the request's intended meaning.
-// To avoid this behavior, the following function rejects requests that include a fragment in the URL.
-func denyFragment(h http.Handler) http.Handler {
-	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
-		if strings.Contains(req.URL.RawPath, "#") {
-			log.WithoutContext().Debugf("Rejecting request because it contains a fragment in the URL path: %s", req.URL.RawPath)
-			rw.WriteHeader(http.StatusBadRequest)
-
-			return
-		}
-
-		h.ServeHTTP(rw, req)
-	})
-}
-
 // sanitizePath removes the "..", "." and duplicate slash segments from the URL according to https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.3.
 // It cleans the request URL Path and RawPath, and updates the request URI.
 func sanitizePath(h http.Handler) http.Handler {
--- a/pkg/server/server_entrypoint_tcp_test.go
+++ b/pkg/server/server_entrypoint_tcp_test.go
@@ -575,6 +575,10 @@ func TestPathOperations(t *testing.T) {
 	configuration := &static.EntryPoint{}
 	configuration.SetDefaults()

+	// We need to allow some of the suspicious encoded characters to test the path operations in case they are authorized.
+	configuration.HTTP.EncodedCharacters.AllowEncodedSlash = true
+	configuration.HTTP.EncodedCharacters.AllowEncodedPercent = true
+
 	// Create the HTTP server using createHTTPServer.
 	server, err := createHTTPServer(t.Context(), ln, configuration, false, requestdecorator.New(nil))
 	require.NoError(t, err)
--- a/script/gcg/traefik-bugfix.toml
+++ b/script/gcg/traefik-bugfix.toml
@@ -4,14 +4,14 @@ RepositoryName = "traefik"
 OutputType = "file"
 FileName = "traefik_changelog.md"

-# example new bugfix v2.11.30
+# example new bugfix v2.11.33
 CurrentRef = "v2.11"
-PreviousRef = "v2.11.29"
+PreviousRef = "v2.11.32"
 BaseBranch = "v2.11"
-FutureCurrentRefName = "v2.11.30"
+FutureCurrentRefName = "v2.11.33"

-ThresholdPreviousRef = 10
-ThresholdCurrentRef = 10
+ThresholdPreviousRef = 10000
+ThresholdCurrentRef = 10000

 Debug = true
 DisplayLabel = true
--- a/webui/.nvmrc
+++ b/webui/.nvmrc
@@ -1 +1 @@
-20.11.0
+24.11.0
--- a/webui/Dockerfile
+++ b/webui/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:22.9-alpine3.20
+FROM node:24-alpine3.22
 # Current Active LTS release according to (https://nodejs.org/en/about/releases/)

 ENV WEBUI_DIR=/src/webui
--- a/webui/package.json
+++ b/webui/package.json
@@ -54,7 +54,7 @@
    "cookie": "^0.7.0"
  },
  "engines": {
-    "node": "^22 || ^20 || ^18 || ^16",
+    "node": "^24 || ^22",
    "npm": ">= 6.13.4",
    "yarn": ">= 1.22.22"
  },
--- a/webui/quasar.conf.js
+++ b/webui/quasar.conf.js
@@ -132,7 +132,7 @@ module.exports = configure(function (ctx) {
      },
      target: {
        browser: ['edge88', 'firefox78', 'chrome87', 'safari13.1'],
-        node: 'node20'
+        node: 'node24'
      },
      publicPath: process.env.APP_PUBLIC_PATH || '',
      env: process.env.APP_ENV === 'development'
Author	SHA1	Message	Date
Romain	5fe10e2098	Prepare release v2.11.33	2025-12-17 10:56:04 +01:00
Jesper Noordsij	fd36de5a0a	Bump webui to NodeJS v24	2025-12-17 10:36:05 +01:00
Romain	60b19b7b81	Print access logs for rejected requests and warn about new behavior	2025-12-16 16:20:05 +01:00
Romain	e0e49533ab	Clarify doc about encodedCharacters rejection	2025-12-09 15:28:04 +01:00
Romain	351dcbd186	Fix encodedCharacters entryPoint option documentation	2025-12-08 10:44:04 +01:00
Kevin Pollet	7f40f3cd58	Fix encoded characters option documentation	2025-12-05 15:06:04 +01:00
Michael	c63be08b07	Github action release split	2025-12-05 09:44:04 +01:00
Kevin Pollet	e931a71660	Fix migration guide indentation	2025-12-04 16:40:04 +01:00
Romain	63a6172ec4	Prepare release v2.11.32	2025-12-04 15:26:04 +01:00
Romain	4d7d627319	Reject suspicious encoded characters Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2025-12-04 15:10:05 +01:00
GreyXor	0b6438b7c0	Bump github.com/quic-go/quic-go to v0.57.1	2025-12-02 09:04:05 +01:00
Michel Loiseleur	e15c11961f	Protect CI against supply chain attack on nodejs	2025-12-01 14:58:05 +01:00
Emile Vauge	042feacf3e	Update SECURITY.md to streamline information	2025-11-24 15:32:04 +01:00
Chris Wayne	759e82c3c8	Update SECURITY.md	2025-11-24 11:56:04 +01:00
GreyXor	2d7262515d	Bump github.com/quic-go/quic-go to v0.57.0	2025-11-24 10:44:04 +01:00
Kevin Pollet	f3e199cd47	Bump golang.org/x/crypto to v0.45.0	2025-11-20 11:30:05 +01:00
Kevin Pollet	9232535cf6	Validate plugin module name Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2025-11-20 10:50:04 +01:00
Kevin Pollet	79bb320f4c	Prepare release v2.11.31	2025-11-13 10:42:16 +01:00
Kevin Pollet	058b194604	Auto-negotiate Docker API version	2025-11-12 16:32:06 +01:00
@@ -1 +1 @@
 .11.0
 .11.0