If an HTTP Header is built using string concatenation or string formatting, and the components of the concatenation include user input, a user is likely to be able to manipulate the response.

User input should not be included in an HTTP Header.

In the following example, the code appends a user-provided value into a header.

OWASP: HTTP Response Splitting.

Python Security: HTTP header injection.

SonarSource: RSPEC-5167.