Reject control characters in header names and values

cursoragent · shrisukhani · cursoragent · commit 1d2769825bf8 · 2026-02-13T09:44:02.000Z
Co-authored-by: Shri Sukhani &lt;shrisukhani@users.noreply.github.com&gt;
diff --git a/hyperbrowser/header_utils.py b/hyperbrowser/header_utils.py
@@ -31,6 +31,11 @@ def normalize_headers(
             or "\r" in value
         ):
             raise HyperbrowserError("headers must not contain newline characters")
+        if any(
+            ord(character) < 32 or ord(character) == 127
+            for character in f"{normalized_key}{value}"
+        ):
+            raise HyperbrowserError("headers must not contain control characters")
         canonical_header_name = normalized_key.lower()
         if canonical_header_name in seen_header_names:
             raise HyperbrowserError(
diff --git a/tests/test_config.py b/tests/test_config.py
@@ -254,6 +254,13 @@ def test_client_config_rejects_newline_header_values():
         ClientConfig(api_key="test-key", headers={"X-Correlation-Id": "bad\nvalue"})
 
 
+def test_client_config_rejects_control_character_header_values():
+    with pytest.raises(
+        HyperbrowserError, match="headers must not contain control characters"
+    ):
+        ClientConfig(api_key="test-key", headers={"X-Correlation-Id": "bad\tvalue"})
+
+
 def test_client_config_normalizes_header_name_whitespace():
     config = ClientConfig(api_key="test-key", headers={"  X-Correlation-Id  ": "value"})
 
diff --git a/tests/test_custom_headers.py b/tests/test_custom_headers.py
@@ -47,6 +47,13 @@ def test_sync_transport_rejects_header_newline_values():
         SyncTransport(api_key="test-key", headers={"X-Correlation-Id": "bad\nvalue"})
 
 
+def test_sync_transport_rejects_header_control_character_values():
+    with pytest.raises(
+        HyperbrowserError, match="headers must not contain control characters"
+    ):
+        SyncTransport(api_key="test-key", headers={"X-Correlation-Id": "bad\tvalue"})
+
+
 def test_async_transport_accepts_custom_headers():
     async def run() -> None:
         transport = AsyncTransport(
@@ -87,6 +94,13 @@ def test_async_transport_rejects_header_newline_values():
         AsyncTransport(api_key="test-key", headers={"X-Correlation-Id": "bad\nvalue"})
 
 
+def test_async_transport_rejects_header_control_character_values():
+    with pytest.raises(
+        HyperbrowserError, match="headers must not contain control characters"
+    ):
+        AsyncTransport(api_key="test-key", headers={"X-Correlation-Id": "bad\tvalue"})
+
+
 def test_sync_client_config_headers_are_applied_to_transport():
     client = Hyperbrowser(
         config=ClientConfig(api_key="test-key", headers={"X-Team-Trace": "team-1"})
diff --git a/tests/test_header_utils.py b/tests/test_header_utils.py
@@ -73,6 +73,23 @@ def test_parse_headers_env_json_rejects_non_mapping_payload():
         parse_headers_env_json('["bad"]')
 
 
+def test_normalize_headers_rejects_control_characters():
+    with pytest.raises(
+        HyperbrowserError, match="headers must not contain control characters"
+    ):
+        normalize_headers(
+            {"X-Trace-Id": "value\twith-tab"},
+            mapping_error_message="headers must be a mapping of string pairs",
+        )
+
+
+def test_parse_headers_env_json_rejects_control_characters():
+    with pytest.raises(
+        HyperbrowserError, match="headers must not contain control characters"
+    ):
+        parse_headers_env_json('{"X-Trace-Id":"bad\\u0000value"}')
+
+
 def test_merge_headers_replaces_existing_headers_case_insensitively():
     merged = merge_headers(
         {"User-Agent": "default-sdk", "x-api-key": "test-key"},
