Skip to content

fix: sanitize invalid characters in proxied response headers#472

Merged
mcollina merged 1 commit into
fastify:mainfrom
LashaJaparidze15:fix/sanitize-response-headers
Jul 12, 2026
Merged

fix: sanitize invalid characters in proxied response headers#472
mcollina merged 1 commit into
fastify:mainfrom
LashaJaparidze15:fix/sanitize-response-headers

Conversation

@LashaJaparidze15

Copy link
Copy Markdown
Contributor

Description

When proxying, an upstream response can include a header whose value contains characters that are invalid in an outgoing HTTP header — control characters, or code points above 0xFF (e.g. an emoji or certain Unicode characters a service put in a header). Copying such a value onto the downstream reply makes Node throw Invalid character in header content [...], which fails the entire proxied request rather than just the offending header.

This sanitizes response header values inside rewriteHeaders before they are set downstream. Values outside the set allowed by RFC 7230 field-content — HTAB (0x09), visible ASCII/space (0x200x7E), and obs-text (0x800xFF) — are stripped, so a bad upstream header degrades gracefully instead of taking down the request. Both string values and array values (e.g. set-cookie) are handled.

Closes #343

How Has This Been Tested?

  • Added unit tests for the two new utils helpers:
    • sanitizeHeaderValue — keeps normal values, tab, and obs-text; strips control characters, high-Unicode characters, and code points above 0xFF.
    • sanitizeHeaders — sanitizes string and array header values, leaving non-string values untouched.
  • Full suite passes locally with npm test (lint + tests + 100% coverage + TypeScript).

Checklist

  • I have read CONTRIBUTING.md
  • I have added unit tests
  • npm test passes (lint, tests, coverage, types)

An upstream reply can contain header values with characters that are
invalid in an outgoing HTTP header (control characters, or code points
above 0xFF). Copying such a value onto the downstream reply throws
'Invalid character in header content' and fails the entire request.

Strip those characters from response header values (strings and arrays
such as set-cookie) in rewriteHeaders, so proxying degrades gracefully
instead of crashing.

Closes fastify#343
@LashaJaparidze15 LashaJaparidze15 marked this pull request as ready for review July 7, 2026 18:49
@Fdawgs Fdawgs requested a review from Copilot July 12, 2026 13:11

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR prevents proxied requests from failing when an upstream response contains header values with characters that Node.js rejects (e.g., control chars or code points > 0xFF). It adds header-value sanitization utilities and applies them in the proxy response header rewrite path so invalid characters are stripped instead of crashing the entire request.

Changes:

  • Added sanitizeHeaderValue and sanitizeHeaders helpers to strip invalid HTTP header value characters (per Node/RFC7230-compatible ranges).
  • Applied sanitizeHeaders inside the proxy rewriteHeaders hook so downstream header setting won’t throw on invalid upstream values.
  • Added unit tests covering string and array header values (including control chars and high Unicode).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
utils.js Adds header-value sanitization helpers and exports them.
index.js Applies sanitization to rewritten proxied response headers before returning them to reply-from.
test/utils.js Adds unit tests validating sanitization behavior for string and array header values.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@mcollina mcollina left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@mcollina mcollina merged commit fd39e97 into fastify:main Jul 12, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Header encoding error for custom response headers: Invalid character in header content ["custom-response-header"]

3 participants