How to add Protocol Downgrade

If you're incorporating Standard TLS or Akamai's shared certificate delivery security (HTTPS L1), you may want to apply HTTPS to the request from the client to our Edge servers, but "downgrade" the connection to HTTP-only between Akamai and your origin. We refer to this as "Protocol Downgrade."

NetStorage
If you're using NetStorage as your origin server in your AMD property, Protocol Downgrade does not apply.

Overview

The secure HTTPS connection starts with the client that accesses our Edge servers, where your AMD property is read and processed. However, you serve an HTTP connection when delivering content from your origin to the client.

You might need Protocol Downgrade in your environment, if either of the following apply:

  • You haven't upgraded your origin to support secure connections. (Or, you don't want to.)
  • You want to avoid the overhead associated with secure sockets layer (SSL) when serving non-personally identifiable information (PII) assets.

To implement this, we offer the Protocol Downgrade (HTTPS Downgrade to Origin) behavior that can be applied to your AMD property.

Important features and limitations

Before you set up this behavior, review the points here to familiarize yourself with its various features and limitations.

  • Secure (HTTPS) hostnames, only: This behavior requires secure certificate delivery (HTTPS). However, Enhanced TLS (L3) certificate security is not supported. (The legacy "Protocol Downgrade" behavior supports it.) This behavior is only supported for use with the following:
    • Standard TLS (L1) Certificate
    • Shared Certificate hostname
  • A downgrade is restricted to GET, HEAD and OPTIONS methods.
  • This behavior does not allow whole site downgrades. For example, you can't use this behavior to downgrade delivery of the full site, "www.mymediasite.com" from your origin.
  • There are no limits on downgrade based on file extension. We don't limit the downgrade of specific file types.
  • This behavior does not trim query strings on a downgrade. If your origin delivers assets that incorporate query strings, they're left as is.
  • You can include all headers in a downgraded request, except the following:
    • Origin
    • Referer
    • Cookie
    • Cookie2
    • sec-*
    • proxy-*

How do I get the Protocol Downgrade (HTTPS Downgrade to Origin) behavior?

You need to have this added to your contract to access the appropriate behavior in Property Manager. Contact your Account Representative to add this functionality.