Skill

header-injection

Flags HTTP header injection (CWE-113) vulnerabilities when setting response headers from user input, parameters, or external data. Recommends CRLF stripping for headers, Content-Disposition filenames, Location headers, and forwarded values.

Javascript

Python

Express

security

npx claudepluginhub thejefflarson/soundcheck --plugin soundcheck

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Protects against HTTP response header injection where user input containing `\r\n`

SKILL.md

Similar Skills

security-headers-configuration

Configures HTTP security headers like HSTS, CSP, X-Frame-Options, X-Content-Type-Options for Express, Nginx, Flask. Protects against XSS, clickjacking, MIME sniffing; useful for hardening web apps and passing audits.

1 file

security-headers-configuration

memstack-security-csp-headers

307

Audits HTTP security headers like CSP, HSTS, X-Frame-Options; identifies permissive directives; generates secure policies for web apps on Next.js, Express, Nginx, Vercel.

memstack

security-headers-generator

2.0k

Generates security headers configurations and provides step-by-step guidance for security fundamentals including authentication, input validation, secure coding, and vulnerability detection. Useful for web security tasks.

4 tools

jeremylongshore-claude-code-plugins-plus-skills

Stats

Stars13

Forks0

Last CommitApr 18, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

HTTP Header Injection Security Check (CWE-113)

What this checks

Protects against HTTP response header injection where user input containing \r\n (CRLF) characters is included in response headers, allowing attackers to inject arbitrary headers or split the HTTP response. Exploitation leads to cache poisoning, session fixation, XSS via injected headers, and response splitting.

Vulnerable patterns

response.headers["X-Custom"] = user_input — CRLF in input injects new headers
w.Header().Set("Content-Disposition", "attachment; filename=" + filename) — newlines in filename
ctx.set("Location", redirectUrl) — CRLF splits response
resp.setHeader("X-Request-Id", req.getHeader("X-Correlation-Id")) — forwarding unsanitized header

Fix immediately

Flag the vulnerable code and explain the risk. Then suggest a fix that establishes these properties:

Every header value derived from user input is stripped of CR/LF before it reaches the header-set call. A single \r\n in a value ends the header block and starts a new header (or a new response body). The strip happens at or before the call site — relying on the framework to reject it is fragile across versions.
Forwarded headers are sanitized too. Values read from incoming requests (correlation IDs, user agents, custom headers) are attacker-controlled just like form inputs. Echoing them into outgoing responses or logs without stripping is the same vulnerability.
Content-Disposition filenames are normalized — CRLF stripped, quotes escaped, and for international characters use RFC 5987 filename*=UTF-8''… rather than raw UTF-8 in the header value.
Redirect Location headers are validated too. A CRLF in the target URL splits the response; see the open-redirect skill for target-host validation.

Anchor — shape, not implementation:

def safe_header(v): return v.replace("\r", "").replace("\n", "")
response.set_header("X-Custom",      safe_header(user_input))
response.set_header("Location",      safe_header(validated_url))
response.set_header("Content-Disposition", f'attachment; filename="{safe_header(name)}"')

Verification

Every HTTP response header value derived from user input has \r and \n characters stripped or rejected before being set
Content-Disposition filenames from user input are sanitized for CRLF and special characters
Forwarded headers (correlation IDs, request IDs) from incoming requests are sanitized before inclusion in outgoing responses

References

CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers)
CWE-93 (Improper Neutralization of CRLF Sequences)