HPP (HTTP Parameter Pollution)

Two different frameworks parse ?role=user&role=admin differently. One picks the first value, one picks the last, one returns an array. Attackers exploit that gap to bypass validation in the proxy and reach a different value in your handler.

What it catches

Duplicate query-string keys: ?role=user&role=admin
Duplicate body keys in application/x-www-form-urlencoded
Mixed array + scalar shapes for the same key

Sample

// Before (URL)
GET /api/users?role=user&role=admin&debug=true&debug=false

// After Arcis normalization (last-value-wins by default)
req.query === { role: "admin", debug: "false" }

// Original multi-value array preserved for auditing
req.queryPolluted === { role: ["user", "admin"], debug: ["true", "false"] }

Configuration

import { hppProtection } from '@arcis/node';

app.use(hppProtection({
  resolution: 'last',        // 'first' | 'last' | 'reject'
  allowedMulti: ['tag', 'category']  // keys that legitimately accept arrays
}));

References

← PreviousHeader Injection Next →Prompt Injection