# HTTP Header Injection (Response Splitting)

- ID: javascript-header-injection
- Severity: HIGH
- CWE: HTTP Response Splitting (CWE-113)
- Languages: JavaScript, TypeScript
- Frameworks: nodejs, express, fastify, koa, hapi, nestjs

## Description

Detects user input flowing into HTTP response headers without CRLF sanitization.

## Detection Message

Untrusted input from {source} flows into HTTP header at {sink}.
This can enable HTTP response splitting attacks by injecting CRLF characters.

## Remediation

Remove CRLF characters from user input before setting headers.

```javascript
const sanitized = userInput.replace(/[\r\n]/g, '');
res.setHeader('X-Custom-Header', sanitized);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-113/header-injection

## Documentation

[object Object]

## Related Rules

- **HTTP Header Injection** [MEDIUM]: 
- **HTTP Header Injection** [HIGH]: