ASVS Requirement 4.2.4

• Level: 3
• Chapter: V4 API and Web Service
• Section: V4.2 HTTP Message Structure Validation
• Source: 0x13-V4-API-and-Web-Service.md

Description

Verify that the application only accepts HTTP/2 and HTTP/3 requests where the header fields and values do not contain any CR (\r), LF (\n), or CRLF (\r\n) sequences, to prevent header injection attacks.