# HTTP Header Injection

- ID: go-header-injection
- Severity: MEDIUM
- CWE: HTTP Response Splitting (CWE-113)
- Languages: Go

## Description

Detects user input flowing to HTTP headers without CRLF sanitization.

## Remediation

Remove CRLF characters from user input before setting headers.

```go
value := strings.ReplaceAll(userInput, "\r", "")
value = strings.ReplaceAll(value, "\n", "")
w.Header().Set("X-Custom", value)
```

Learn more: https://shoulder.dev/learn/go/cwe-113/header-injection

## Related Rules

- **HTTP Header Injection (Response Splitting)** [HIGH]: 
- **HTTP Header Injection** [HIGH]: