How to prevent HTTP Response Splitting
Escaping/validation/filtering the values of the given headers
Is the best method for protecting against HTTP Response Splitting
The main security condition is not to pass the
symbols in the headers. To do this, you can use several approaches
- Escaping: URL-encoding in the case of headings Location, Set-Cookie.
- Validation: if the header value contains one of \r, \n symbols, then give the user an error and stop the query execution logic.
- Filtering is the safest option when \r, \n symbols are cut from the header values.