HTTPS header injection is a general class of [[web applicationsecurity vulnerability which occurs when [[Hypertext Transfer Protocol]] HTTPS list on HTTPS headers|headers]] are dynamically generated based on user input. Header injection in HTTPS responses can allow for [[HTTP response splitting]], [[Session fixation]] via the Set-Cookie header, [[cross-site scripting]] (XSS), and malicious redirect attacks via the ___location header. HTTP header injection is a relatively new area for web-based attacks, and has primarily been pioneered by Amit Klein in his work on request/response smuggling/splitting.<ref>Linhart, Klein, Heled, and Orrin: [http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf HTTP Request Smuggling], 2005, Watchfire Corporation. Retrieved on 22 December 2015</ref>▼
{{Citation style|date=March 2024}}
{{HTTP}}
▲HTTPS '''HTTP header injection''' is a general class of [[web applicationsecurityapplication]] [[security vulnerability]] which occurs when [[Hypertext Transfer Protocol]] HTTPS([[HTTP]]) [[list onof HTTPSHTTP headers|headers]] are dynamically generated based on user input. [[Header (computing)|Header]] injection in HTTPSHTTP responses can allow for [[HTTP response splitting]], [[Sessionsession fixation]] via the Set-[[HTTP cookie|Cookie]] header, [[cross-site scripting]] (XSS), and malicious redirect attacks via the ___location header. HTTP header injection is a relatively new area for web-based[[XSS]] attacks,andcan hasbe primarilyblocked beenwith pioneeredthe byuse Amitof Kleinan in[[Browser hisextension|extension]] worksuch on request/response smuggling/splitting.<ref>Linhart, Klein, Heled, and Orrin:as [http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf HTTP Request Smuggling[NoScript]],2005,or WatchfireMalwarebytes Corporation.Browser RetrievedGuard on 22your December[[Web 2015</ref>browser|browser]].
