NAME

Plack::Middleware::BlockHeaderInjection - block header injections in responses

VERSION

version v1.0.1

SYNOPSIS

  use Plack::Builder;

  my $app = ...

  $app = builder {
    enable 'BlockHeaderInjection',
      status => 500;
    $app;
  };

DESCRIPTION

This middleware will check responses for injected headers. If the headers contain newlines, then the return code is set to 500 and the offending header(s) are removed.

A common source of header injections is when parameters are passed unchecked into a header (such as the redirection location).

An attacker can use injected headers to bypass system security, by forging a header used for security (such as a referrer or cookie).

ATTRIBUTES

<status

The status code to return if an invalid header is found. By default, this is 500.

SEE ALSO

https://en.wikipedia.org/wiki/HTTP_header_injection

SOURCE

The development version is on github at https://github.com/robrwo/Plack-Middleware-BlockHeaderInjection and may be cloned from git://github.com/robrwo/Plack-Middleware-BlockHeaderInjection.git

BUGS

Please report any bugs or feature requests on the bugtracker website https://github.com/robrwo/Plack-Middleware-BlockHeaderInjection/issues

When submitting a bug or request, please include a test-file or a patch to an existing test-file that illustrates the bug or desired feature.

AUTHOR

Robert Rothenberg <rrwo@cpan.org>

The initial development of this module was supported by Foxtons, Ltd https://www.foxtons.co.uk.

COPYRIGHT AND LICENSE

This software is Copyright (c) 2014,2020 by Robert Rothenberg.

This is free software, licensed under:

  The Artistic License 2.0 (GPL Compatible)