1. Introduction
Duplicate HTTP Headers Detected is a vulnerability where web servers send multiple headers with the same name in their responses. This can cause unpredictable behaviour, as clients may interpret only the first header, the last header, or combine them incorrectly. It affects any system that generates HTTP responses, such as web servers, proxies, and application gateways. A likely impact on confidentiality, integrity, and availability is low, but could lead to unexpected application errors or denial of service in some cases.
2. Technical Explanation
The root cause is a failure by the server to enforce uniqueness when adding HTTP headers. RFC 7230 requires servers not to generate multiple header fields with the same name unless they are comma-separated lists or well-known exceptions. An attacker can exploit this by sending requests that trigger the creation of duplicate headers, potentially leading to application logic errors or security bypasses.
- Root cause: Lack of validation when adding HTTP headers.
- Exploit mechanism: Sending a crafted request which causes the server to generate multiple identical headers in its response. For example, an attacker might trigger a configuration error that results in duplicate `Content-Type` headers.
- Scope: Web servers (Apache, Nginx, IIS), proxies, and application gateways are affected. The vulnerability is present in any system where HTTP responses can be generated without proper header validation.
3. Detection and Assessment
Confirming the presence of duplicate headers requires inspecting HTTP responses. Use browser developer tools or command-line utilities to check for multiple instances of the same header name.
- Quick checks: Use a web browser’s developer tools (Network tab) to inspect the response headers for any repeated header names.
- Scanning: Burp Suite and OWASP ZAP can be configured to detect duplicate HTTP headers during active scanning. These are examples only, as detection accuracy varies.
- Logs and evidence: Server access logs may not directly show duplicate headers, but monitoring application errors related to header parsing could indicate a problem.
curl -I https://example.com 2>&1 | grep "Content-Type:"4. Solution / Remediation Steps
Ensure that any HTTP header or meta tag http-equiv declarations are named uniquely to prevent the creation of duplicate headers.
4.1 Preparation
- Ensure you have a rollback plan in place by keeping a copy of the original configuration files. A change window may be needed for production systems.
4.2 Implementation
- Step 1: Review your web server configuration (e.g., Apache’s httpd.conf, Nginx’s nginx.conf) and identify any areas where headers are explicitly set.
- Step 2: Ensure that each header is defined only once. Remove any duplicate definitions.
- Step 3: If using a framework or application code to generate headers, review the code for potential duplication.
- Step 4: Restart your web server to apply the changes.
4.3 Config or Code Example
Before
# Apache httpd.conf
Header always set Content-Type text/html
Header always set Content-Type application/jsonAfter
# Apache httpd.conf
Header always set Content-Type text/html4.4 Security Practices Relevant to This Vulnerability
Input validation and secure defaults are relevant practices for preventing this issue. Input validation can prevent the injection of malicious headers, while secure defaults ensure that headers are not unintentionally duplicated.
- Practice 1: Least privilege – reduce impact if exploited by limiting access to header configuration.
- Practice 2: Secure defaults – configure web servers with safe default header settings.
4.5 Automation (Optional)
If using infrastructure-as-code, you can automate the review and enforcement of unique header definitions.
# Example Ansible task to check for duplicate headers in Apache configuration files
- name: Check for duplicate Content-Type headers in Apache config
lineinfile:
path: "{{ item }}"
regexp: '^Header always set Content-Type'
count: 1
with_items:
- /etc/httpd/conf/httpd.conf
- /etc/httpd/conf.d/*.conf5. Verification / Validation
- Post-fix check: Use `curl -I https://example.com 2>&1 | grep “Content-Type:”` and confirm only one instance of the header is returned.
- Re-test: Re-run the earlier detection method (browser developer tools) to show that duplicate headers are no longer present.
- Smoke test: Verify basic application functionality, such as loading web pages and submitting forms.
- Monitoring: Monitor server logs for any errors related to header parsing or unexpected behaviour.
curl -I https://example.com 2>&1 | grep "Content-Type:"6. Preventive Measures and Monitoring
Update security baselines to include unique header definitions. Add checks in CI/CD pipelines to prevent the introduction of duplicate headers during deployment.
- Baselines: Update your server configuration baseline or policy to enforce unique HTTP header names.
- Pipelines: Integrate static analysis tools into your CI pipeline to scan for potential duplicate headers in configuration files and code.
- Asset and patch process: Implement a regular review cycle for web server configurations to identify and address any new vulnerabilities.
7. Risks, Side Effects, and Roll Back
- Risk or side effect 1: Removing a required header could break application functionality.
- Risk or side effect 2: Incorrectly configured headers may lead to security vulnerabilities.
- Roll back: Restore the original web server configuration files and restart the service.
8. References and Resources
- Vendor advisory or bulletin: N/A
- NVD or CVE entry: N/A
- Product or platform documentation relevant to the fix: https://tools.ietf.org/id/draft-ietf-httpbis-header-structure-15.html