12 tests demonstrate Content-Type checking, header filtering, and injection prevention.
Header validation rules in policy.yaml:
# policy.yaml
headers:
request:
# Block dangerous headers that could be used for attacks
blocked:
- "X-Forwarded-For" # Prevent IP spoofing
- "X-Real-IP" # Prevent IP spoofing
- "X-Original-URL" # Prevent URL manipulation
# Require specific headers
required:
- name: "Content-Type"
pattern: "^application/(json|x-www-form-urlencoded)$"
# Maximum header size
max_size: 8192
response:
# Add security headers to all responses
add:
- "X-Content-Type-Options: nosniff"
- "X-Frame-Options: DENY"
- "X-XSS-Protection: 1; mode=block"curl -X POST \
-H "Content-Type: application/json" \
-d '{"name": "test"}' \
http://localhost:8080/api/usersRequests with correct Content-Type matching the policy pattern are processed normally.
curl -X POST \
-H "Content-Type: text/xml" \
-d 'test HTTP/1.1 415 Unsupported Media Type
Content-Type: application/json
{"error": "Invalid Content-Type", "allowed": ["application/json", "application/x-www-form-urlencoded"]}Requests with Content-Type not matching the policy are rejected with 415 Unsupported Media Type.
curl -H "X-Forwarded-For: 1.2.3.4" http://localhost:8080/api/usersHTTP/1.1 400 Bad Request
Content-Type: application/json
{"error": "Blocked header", "header": "X-Forwarded-For"}Headers that could be used for IP spoofing or bypassing security controls are blocked.
curl -H $'X-Custom: value\r\nX-Injected: malicious' http://localhost:8080/api/usersHTTP/1.1 400 Bad Request
Content-Type: application/json
{"error": "Header injection detected", "code": "CRLF_INJECTION_BLOCKED"}CRLF sequences (\r\n) in header values are detected and blocked to prevent HTTP response splitting attacks.
curl -H "X-Large: $(python3 -c 'print("A"*10000)')" http://localhost:8080/HTTP/1.1 431 Request Header Fields Too Large
Content-Type: application/json
{"error": "Header too large", "max_size": 8192}Headers exceeding the configured maximum size are rejected to prevent buffer overflow attacks.