# Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') (CWE-113)

The product receives data from an HTTP agent/component, and it places this data in HTTP response headers without neutralizing CRLF sequences.

**Stack:** Python

- Prevalence: Media 3 lenguajes cubiertos
- Impact: Alto 2 reglas de severidad alta
- Prevention: Documentada 3 ejemplos de corrección

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

An attacker can inject CRLF sequences into HTTP headers to create additional headers or response body content. This can lead to cache poisoning, cross-site scripting, or other attacks.

## Prevention

Estrategias de prevención para HTTP Response Splitting basadas en 1 reglas de detección de Shoulder.

### Python

Strip CRLF characters from user input before using in HTTP headers

## Warning Signs

- [HIGH] user input flowing into HTTP response headers without CRLF
sanitization

## Consequences

- Ejecutar código no autorizado
- Eludir mecanismo de protección
- Modificar datos de la aplicación

## Mitigations

- Nunca incluyas entrada del usuario directamente en cabeceras de respuesta HTTP
- Sanea toda la entrada del usuario que pueda incluirse en cabeceras
- Usa los métodos del framework para configurar cabeceras que gestionen la codificación

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Python (1 rules)

- **HTTP Header Injection** [HIGH]: Detects user input flowing into HTTP response headers without CRLF
sanitization.
  - Remediation: Remove CRLF characters from header values.

```python
import re
safe_value = re.sub(r'[\r\n]', '', user_value)
```

Learn more: https://shoulder.dev/learn/python/cwe-113/header-injection