HTTP Header Injection and Response Splitting

2 min read Web Security Fundamentals

HTTP Header Injection and Response Splitting

Header injection vulnerabilities allow attackers to insert malicious headers or split HTTP responses:

Prevention in Apache:

# Enable mod_headers and mod_security
<IfModule mod_headers.c>
    # Remove potentially dangerous headers
    Header always unset X-Powered-By
    Header always unset Server
    Header always unset X-AspNet-Version
    
    # Sanitize user input in headers
    RequestHeader edit Cookie "(.*)\r?\n(.*)" "$1$2"
    RequestHeader edit User-Agent "(.*)\r?\n(.*)" "$1$2"
</IfModule>

<IfModule mod_security2.c>
    # Prevent header injection
    SecRule REQUEST_HEADERS "@rx [\r\n]" \
        "id:1001,\
        phase:1,\
        block,\
        msg:'HTTP Header Injection Attack',\
        severity:CRITICAL"
    
    # Prevent response splitting
    SecRule RESPONSE_HEADERS "@rx [\r\n](?!$)" \
        "id:1002,\
        phase:3,\
        block,\
        msg:'HTTP Response Splitting',\
        severity:CRITICAL"
</IfModule>

Nginx prevention:

# Input validation for headers
server {
    # Validate and sanitize headers
    set $cleaned_user_agent $http_user_agent;
    if ($http_user_agent ~ [\r\n]) {
        set $cleaned_user_agent "InvalidUserAgent";
    }
    
    # Block requests with malicious headers
    if ($http_referer ~ [\r\n]) {
        return 400;
    }
    
    # Sanitize variables used in headers
    location /api {
        # Validate input parameters
        if ($arg_callback ~ [^a-zA-Z0-9_]) {
            return 400 "Invalid callback parameter";
        }
        
        # Safe header setting
        add_header X-Request-ID $request_id always;
        
        # Prevent injection through variables
        set $safe_callback "";
        if ($arg_callback ~ ^([a-zA-Z0-9_]+)$) {
            set $safe_callback $1;
        }
        
        proxy_pass http://backend;
        proxy_set_header X-Callback $safe_callback;
    }
}