Share via

Azure Blob Storage rejects Cloudflare location headers with non-ASCII characters (400 Bad Request for Polish cities like “Poznań”)

Roeder, Marcus 0 Reputation points
2025-09-03T05:52:13.0133333+00:00

We’re running into a frustrating and business-critical problem with Azure Blob Storage behind Cloudflare.

Our PDF files are in an Azure Blob container with anonymous public access enabled.

Cloudflare sits in front as a proxy and adds standard headers like cf-ipcity and cf-ipregion.

  • For many users in Poland, or Sweden, these headers contain non-ASCII characters (e.g., cf-ipcity: Poznań).

Azure Blob Storage immediately rejects the request with HTTP 400 Bad Request, making the files inaccessible.

This means that Polish customers—and likely many others in regions with diacritics—cannot access public files hosted on Azure Blob Storage when routed through Cloudflare.

The RFC are controversial about non-ASCII characters in header fields, but I think, Azure should at least tolerate or safely ignore such headers, instead of hard-failing legitimate requests with a 400.

Example with curl

curl -v -X GET https://azureopendatastorage.blob.core.windows.net/doesnotexist -H "cf-ipcity: Poznań"

results in 400 Bad Request

Interestingly, not all special characters result in Bad Request:

  • Sønderborg is fine
  • Nürnberg, no problem
  • Białystok really bad
  • Peñitas is okay
  • Győr is bad

So, if I had to guess, many characters from Unicode Block “Latin Extended-A” (https://www.unicode.org/charts/PDF/U0100.pdf) are problematic, not all UTF-8.

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Priya ranjan Jena 1,510 Reputation points Microsoft External Staff Moderator
    2025-09-03T12:01:52.6+00:00

    Hi Roeder, Marcus,

    Thank you for reaching out on Microsoft Q&A forum

    We understand your problem & will try to help you as possible.

    400 Bad Request Error: Azure Blob Storage is likely enforcing strict header validation, and non-ASCII characters can lead to requests being rejected. This is generally tied to how HTTP headers must comply with certain specifications.

    Metadata Key and Value Names

    Metadata for a container or blob resource is stored as name-value pairs associated with the resource. Metadata key names must adhere to the following naming rules:

    Must start with a letter or underscore

    Any following characters may be letters, numbers, or underscores

    Metadata key name must be valid ASCII

    Metadata value names must also be valid ASCII. Note that metadata names preserve the case with which they were created, but are case-insensitive when set or read. If two or more metadata headers with the same name are submitted for a resource, the Blob service returns status code 400 (Bad Request).

    Blob and container names are passed to the Blob service within a URL. Certain characters must be percent-encoded to appear in a URL, using UTF-8 (preferred) or MBCS(Multi-Byte Character Set). This encoding occurs automatically when you use the Azure Storage client libraries. However, there are certain characters that are not valid in URL paths even when encoded. If these characters appear in blob or container names, the request may fail.

    Unicode characters not recommended for use in container or blob names.

    For detailed understanding of Naming and Referencing Containers, Blobs, and Metadata, please find the reference link: https://free.blessedness.top/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#unicode-characters-not-recommended-for-use-in-container-or-blob-names

    So we can try with some workarounds:

    1.You can look into Cloudflare's settings to see if there's an option to modify or sanitize these headers before they're sent to Azure Blob Storage. Perhaps instead of sending the original city names, you can map them to a set of ASCII-only names.

    • Go to Rules > Transform Rules > HTTP Request Headers
    • Create a rule:
      • If hostname matches *.blob.core.windows.net or your custom domain
      • Remove header: cf-ipcity

    2.If you need the geo headers elsewhere, introduce an intermediate proxy between Cloudflare and Azure to remove or sanitize the problematic headers before passing to Azure.

    3.Raise a Support Ticket with Microsoft Azure Since this behaviour is strict and affects legitimate traffic, raising a formal support request may help to escalate the issue.

    If you find this comment helpful, please “up-vote” for the information provided , this can be beneficial to community members.

    Kindly let us know if you have any additional questions.

    Thanks

    0 comments
  2. Priya ranjan Jena 1,510 Reputation points Microsoft External Staff Moderator
    2025-10-10T11:13:43.0966667+00:00

    Hi Roeder, Marcus,

    We have verified with product team as they have this below solution only to proceed with your issue & we have mentioned in above answer as well earlier.

    User's image

    Hope you find this answer helpful, please “up-vote” & accept it for the information provided , this can be beneficial to community members.

    Thanks

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.