Directly writing user input (for example, an HTTP request parameter) to an HTTP header can lead to an HTTP response-splitting vulnerability.

If user-controlled input is used in an HTTP header that allows line break characters, an attacker can inject additional headers or control the response body, leading to vulnerabilities such as XSS or cache poisoning.

Ensure that user input containing line break characters is not written to an HTTP header.

In the following example, the case marked BAD writes user input to the header name. In the GOOD case, input is first escaped to not contain any line break characters.

SecLists.org: HTTP response splitting.

OWASP: HTTP Response Splitting.

Wikipedia: HTTP response splitting.

CAPEC: CAPEC-105: HTTP Request Splitting