[Web-SIG] Newline values in WSGI response header values.

Alan Kennedy pywebsig at xhaus.com
Thu Jun 12 11:06:42 CEST 2008

> Thus, is an embedded newline in value invalid? Would it be reasonable
> for a WSGI adapter to flag it as an error?

>From a security POV, it may be advisable for WSGI servers to *not*
allow newlines in HTTP response headers; newlines in response headers
may be the result of an application's failure to sanitise its inputs.




More information about the Web-SIG mailing list