{ "slug": "header_injection", "term": "Header Injection", "category": "security", "difficulty": "intermediate", "short": "User input included in an HTTP response header without stripping newlines enables response splitting and redirect hijacking.", "long": "HTTP headers are separated by CRLF (\\r\\n). If an attacker injects a newline into a header value, they can inject additional headers or even a second HTTP response body — a technique called HTTP Response Splitting. This can be used to poison caches, hijack redirects, or inject HTML/JavaScript. Prevention: strip all \\r and \\n characters from any user-supplied value before including it in a header().", "aliases": [ "HTTP header injection", "response header injection" ], "tags": [ "injection", "headers", "cwe-113" ], "misconception": "Header injection is just a cosmetic issue affecting formatting. Injecting newlines enables full HTTP response splitting, XSS via reflected headers, cache poisoning, and open redirect.", "why_it_matters": "Injecting headers via user input can redirect users, poison caches, or enable XSS through response splitting — all from a single unvalidated string.", "common_mistakes": [ "Passing unsanitised user input to PHP's header() function, especially in Location or Set-Cookie headers.", "Trusting X-Forwarded-For or Referer headers and reflecting them into responses.", "Not stripping \\r and \\n from any value that ends up in an HTTP header.", "URL-decoding values before passing to header() without re-stripping control characters." ], "when_to_use": [], "avoid_when": [], "related": [ "open_redirect" ], "prerequisites": [ "http_response_splitting", "input_validation", "crlf_injection" ], "refs": [ "https://owasp.org/www-community/attacks/HTTP_Response_Splitting", "https://cwe.mitre.org/data/definitions/113.html" ], "bad_code": "// User input injected into header — attacker can inject newlines\n\\$lang = \\$_GET['lang'];\nheader(\"Content-Language: \\$lang\");\n// ?lang=en%0d%0aSet-Cookie:admin=1 → injects extra header", "good_code": "// Allowlist approach\n\\$allowed = ['en', 'fr', 'de', 'es', 'ja'];\n\\$lang = in_array(\\$_GET['lang'] ?? 'en', \\$allowed, true)\n ? \\$_GET['lang'] : 'en';\nheader(\"Content-Language: \\$lang\");\n\n// If dynamic values are unavoidable, strip CR/LF:\n\\$clean = str_replace([\"\\r\", \"\\n\"], '', \\$value);\nheader(\"X-Custom: \\$clean\");", "quick_fix": "Strip or reject any \\r or \\n characters from values passed to header(); in PHP 8.0+ header() throws on CRLF automatically", "severity": "high", "effort": "low", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/header_injection", "html_url": "https://codeclaritylab.com/glossary/header_injection", "json_url": "https://codeclaritylab.com/glossary/header_injection.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Header Injection](https://codeclaritylab.com/glossary/header_injection) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/header_injection" } } } }