CME-912

HTTP Header Normalization and Request Smuggling Prevention

Harden Application High Confidence

Description

Enforce strict HTTP header parsing on all HTTP intermediaries (proxies, load balancers, reverse proxies, web servers) to prevent request smuggling via header desynchronization. The control requires: (1) rejecting requests containing both Content-Length and Transfer-Encoding headers per RFC 7230 Section 3.3.3, (2) rejecting requests with duplicate Content-Length headers carrying differing values, (3) disabling relaxed header parsing modes that tolerate whitespace or encoding variations in Transfer-Encoding values, and (4) normalizing or rejecting header values containing illegal characters (bare CR, bare LF, NUL bytes). These measures eliminate the primary desynchronization vectors that enable an attacker to inject smuggled requests across the proxy-backend boundary.

CVSS Vector Impacts

Metric	Transition	Rationale
Attack Complexity (AC)	L → H	Strict header normalization closes the standard CL/TE and duplicate-CL desync vectors, forcing the attacker to discover novel parser-specific bypass techniques to achieve smuggling
Integrity (I)	H → L	Preventing request smuggling eliminates the primary integrity impact: cache poisoning and request injection into other users sessions

CWE Relationships

CWE-444 CWE-113 CWE-436

Verification

Verify that HTTP intermediaries enforce strict header parsing: reject requests with both Content-Length and Transfer-Encoding, reject duplicate Content-Length headers, and disable relaxed parsing modes

$ grep -i 'relaxed_header_parser' /etc/squid/squid.conf
# Expected: off

Platform: linux

$ grep 'http-request deny.*hdr_cnt(content-length)' /etc/haproxy/haproxy.cfg
# Expected: http-request deny

Platform: linux

$ grep -i 'HttpProtocolOptions' /etc/httpd/conf/httpd.conf
# Expected: Strict

Platform: linux

$ grep -i 'ignore_invalid_headers' /etc/nginx/nginx.conf
# Expected: on

Platform: linux