diff --git a/src/h2.c b/src/h2.c
index a4578f468..9c02cd3c5 100644
--- a/src/h2.c
+++ b/src/h2.c
@@ -492,6 +492,7 @@ static struct htx_sl *h2_prepare_htx_reqline(uint32_t fields, struct ist *phdr,
 	int uri_idx = H2_PHDR_IDX_PATH;
 	unsigned int flags = HTX_SL_F_NONE;
 	struct htx_sl *sl;
+	size_t i;
 
 	if ((fields & H2_PHDR_FND_METH) && isteq(phdr[H2_PHDR_IDX_METH], ist("CONNECT"))) {
 		/* RFC 7540 #8.2.6 regarding CONNECT: ":scheme" and ":path"
@@ -538,6 +539,13 @@ static struct htx_sl *h2_prepare_htx_reqline(uint32_t fields, struct ist *phdr,
 	if (!phdr[uri_idx].len)
 		goto fail;
 
+	/* make sure :path doesn't contain LWS nor CTL characters */
+	for (i = 0; i < phdr[uri_idx].len; i++) {
+		unsigned char c = phdr[uri_idx].ptr[i];
+		if (HTTP_IS_LWS(c) || HTTP_IS_CTL(c))
+			htx->flags |= HTX_FL_PARSING_ERROR;
+	}
+
 	/* Set HTX start-line flags */
 	flags |= HTX_SL_F_VER_11;    // V2 in fact
 	flags |= HTX_SL_F_XFER_LEN;  // xfer len always known with H2