← Back to Intelligence Center
Web / HTTP Response Vulnerability

Header Injection

Header Injection occurs when untrusted input is written into HTTP headers without strict validation, allowing control characters or unexpected values to alter response semantics, cookies, redirects, cache behavior, or downstream proxy interpretation.

CategoryHTTP response construction flaw
Common impactResponse splitting / cookie abuse
Common surfaceRedirects / filenames / cookies
Risk modelProtocol boundary injection

What is this vulnerability?

Header Injection is a protocol-layer vulnerability where user-controlled data reaches an HTTP header without being constrained to a safe header value. If newline characters, separators, or unsafe values are accepted, the attacker may influence additional headers or change how clients and intermediaries process the response.

How it works

The weakness commonly appears when applications place request parameters into headers such as Location, Content-Disposition, Set-Cookie, or custom tracing headers. A dangerous value containing CRLF-like separators can break the intended single-header boundary and introduce attacker-controlled header semantics.

Minimal vulnerable example

This simplified Node.js example shows a download endpoint placing a user-controlled filename directly into Content-Disposition. If the value is not validated, header control characters can alter the response.

Waiting to run demo…
1. User controls header value
2. Server builds response header
3. Unsafe separators are preserved
4. Extra header semantics appear
5. Client/proxy behavior changes
HTTP response preview
Response trace will appear here.
Header injection trace will appear here.

Potential impact

Response splitting when injected separators create additional response headers or response fragments.
Cookie manipulation if attacker-controlled values influence Set-Cookie behavior.
Open redirect or cache poisoning when unsafe values reach Location or cache-related headers.
Security header weakening if response policy headers are overwritten or interpreted unexpectedly.

Mitigation

Reject CR, LF, and other control characters in all user-controlled header values.
Use framework-provided APIs that validate and normalize header values safely.
Use allowlists for redirect targets, filenames, content types, and custom header values.
Encode filenames according to safe Content-Disposition patterns instead of raw concatenation.
Test headers through proxies, CDNs, and browsers because interpretation may differ across intermediaries.
Need private analysis for your codebase? Request Header Injection review and HTTP boundary risk mapping from FikreSekhel Research.