CRLF header injection defense

The threat

CRLF (Carriage Return Line Feed) injection occurs when \r\n characters in header values allow an attacker to inject additional HTTP headers or split the response. This can lead to HTTP response splitting, cache poisoning, or session fixation.

How parcely prevents it

parcely constructs all request headers using the native Headers API. The Headers constructor and set/append methods validate header names and values, rejecting any that contain \r, \n, or \0 characters.

If a CRLF injection is detected, parcely throws HttpError with code: 'ERR_CRLF_INJECTION'.

Example

import { createClient } from '@parcely/core'

const http = createClient({ baseURL: 'https://api.example.com' })

// This throws HttpError with code: 'ERR_CRLF_INJECTION'
await http.get('/data', {
  headers: { 'X-Custom': 'value\r\nInjected-Header: malicious' },
})

Security table reference

This corresponds to row 6 in the security defaults table:

#	Defense	Default
6	CRLF injection defense via native `Headers` API	Always on

Always on

This defense cannot be disabled. The native Headers API enforces this at the platform level.

The threat​

How parcely prevents it​

Example​

Security table reference​

Always on​

The threat

How parcely prevents it

Example

Security table reference

Always on