I am passing directly a user defined parameter in my response header. Which I

Question

0

Asked: June 2, 20262026-06-02T15:34:41+00:00 2026-06-02T15:34:41+00:00

I am passing directly a user defined parameter in my response header. Which I

0

I am passing directly a user defined parameter in my response header. Which I have learned is not a good idea since that way user can manipulate header and it can lead to Cross site scripting attacks and other kind of multiple attacks.

https://www.fortify.com/vulncat/en/vulncat/python/header_manipulation.html

What I am doing for preventing this is validate the user input for “http response splitting” by replacing “\r” and “\n” characters with empty string “”. Is this enough or I have to check for other characters also. Any pointers would be of great help.

This is my code.

if(response != null)
  {
   newResponse = response.replaceAll("[\r\n]", "");
  }

Is this enough for preventing this kind of attack or I should also validate for other characters.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-02T15:34:44+00:00

Editorial Team

2026-06-02T15:34:44+00:00Added an answer on June 2, 2026 at 3:34 pm

A whitelist is much safer than a blacklist. Whether you can use a whitelist depends on how much you know about the user defined parameter.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I am passing directly a user defined parameter in my response header. Which I

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply