All Products
Document Center

CRLF HTTP header injection vulnerability

Last Updated: Oct 31, 2017


CRLF is short for “carriage return + line feed” (\r\n). In the HTTP protocol, the HTTP Header and HTTP Body are separated by two CRLF symbols, and the browser retrieves and displays the HTTP content based on the two CRLF symbols.

Therefore, once the characters in the HTTP header are injected with some malicious line breaks, some session cookies or HTML code can be injected.


  • Alibaba Cloud Security Web Application Firewall service can intercept the attacking codes for this vulnerability.

  • Filter “\r”, “\n” and similar line breaks to keep the input data from contaminating other HTTP headers.