# HTTP Header Injection

- ID: python-header-injection
- Severity: HIGH
- CWE: HTTP Response Splitting (CWE-113)
- Languages: Python
- Frameworks: flask, django, fastapi

## Description

Detects user input flowing into HTTP response headers without CRLF
sanitization.

## Detection Message

User input from {source} flows to HTTP header at {sink} without sanitization.
Attackers can inject CRLF sequences to manipulate HTTP responses.

## Remediation

Remove CRLF characters from header values.

```python
import re
safe_value = re.sub(r'[\r\n]', '', user_value)
```

Learn more: https://shoulder.dev/learn/python/cwe-113/header-injection

## Documentation

[object Object]

## Related Rules

- **HTTP Header Injection** [MEDIUM]: 
- **HTTP Header Injection (Response Splitting)** [HIGH]: