Passing user-controlled data to HTTP response headers without validation might result in a cross-site scripting vulnerability or an HTTP response splitting attack.
1var express = require('express')
2var app = express()
3function headerInjectionNoncompliant() {
4 app.get("www.example.com", function (req, res) {
5 // Noncompliant: using untrusted user-input to set response headers.
6 res.setHeader("Content-Type", req.query.type)
7 })
8}
1var express = require('express')
2var app = express()
3function headerInjectionCompliant() {
4 app.get("www.example.com", function (req, res) {
5 // Compliant: using hardcoded string value to set response headers.
6 res.setHeader("Content-Type", "text/html")
7 })
8}