HTTP Header Injection

An attacker embeds CRLF into a header value (typically a redirect URL or a cookie attribute) and splits the response, injecting their own headers or body. Arcis strips control characters from anything written to response headers.

What it catches

CRLF: \r\n
Bare CR: \r
Bare LF: \n
Null byte: \0
Encoded variants of the above

Sample

import { sanitizeHeaderValue, sanitizeHeaders } from '@arcis/node';

// Single header value
const safe = sanitizeHeaderValue(user_input);

// Whole header object
res.set(sanitizeHeaders({
  'Location': next_url,
  'X-Set-By': user_input
}));

The middleware applies this automatically to response headers; you only need to call it directly when constructing a custom header value from user data outside the middleware path.

References

OWASP HTTP Response Splitting
CWE-113

← PreviousOpen Redirect Next →HPP