# Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') (CWE-113)

The product receives data from an HTTP agent/component, and it places this data in HTTP response headers without neutralizing CRLF sequences.

**Stack:** JavaScript

- Prevalence: Moyenne 3 langages couverts
- Impact: Élevé 2 règles de sévérité élevée
- Prevention: Documentée 3 exemples de correctifs

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

An attacker can inject CRLF sequences into HTTP headers to create additional headers or response body content. This can lead to cache poisoning, cross-site scripting, or other attacks.

## Prevention

Stratégies de prévention pour HTTP Response Splitting basées sur 1 règles de détection Shoulder.

### JavaScript

Strip CRLF characters from user input before setting HTTP response headers

## Warning Signs

- [HIGH] user input flowing into HTTP response headers without CRLF sanitization

## Consequences

- Exécuter du code non autorisé
- Contourner le mécanisme de protection
- Modification des données de l'application

## Mitigations

- N'incluez jamais directement d'entrée utilisateur dans les en-têtes de réponse HTTP
- Assainissez toute entrée utilisateur susceptible d'être incluse dans les en-têtes
- Utilisez les méthodes fournies par le framework pour définir les en-têtes, qui gèrent l'encodage

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Javascript (1 rules)

- **HTTP Header Injection (Response Splitting)** [HIGH]: Detects user input flowing into HTTP response headers without CRLF sanitization.
  - Remediation: Remove CRLF characters from user input before setting headers.

```javascript
const sanitized = userInput.replace(/[\r\n]/g, '');
res.setHeader('X-Custom-Header', sanitized);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-113/header-injection

### Typescript (1 rules)

- **HTTP Header Injection (Response Splitting)** [HIGH]: Detects user input flowing into HTTP response headers without CRLF sanitization.
  - Remediation: Remove CRLF characters from user input before setting headers.

```javascript
const sanitized = userInput.replace(/[\r\n]/g, '');
res.setHeader('X-Custom-Header', sanitized);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-113/header-injection