Q: How do I prevent HTTP header injection?

Strip or reject CRLF characters (\r\n) from all user input used in HTTP headers. Use framework-provided methods for setting headers instead of manual string concatenation. Validate and encode output, keep web server software up to date, and use security headers like Content-Security-Policy.

Question 1

What is HTTP header injection?

Accepted Answer

HTTP header injection occurs when an attacker injects carriage return and line feed (CRLF) characters into HTTP headers through unsanitized user input. This can lead to response splitting, where the attacker controls part of the HTTP response, enabling attacks like cross-site scripting, cache poisoning, and session hijacking.

Question 2

How do I prevent HTTP header injection?

Accepted Answer

Strip or reject CRLF characters (
) from all user input used in HTTP headers. Use framework-provided methods for setting headers instead of manual string concatenation. Validate and encode output, keep web server software up to date, and use security headers like Content-Security-Policy.

HTTP Header Injection

Challenges

Frequently Asked Questions