Reject overly long header names during normalization

cursoragent · shrisukhani · cursoragent · commit a29f568e41b9 · 2026-02-13T11:30:58.000Z
Co-authored-by: Shri Sukhani &lt;shrisukhani@users.noreply.github.com&gt;
diff --git a/hyperbrowser/header_utils.py b/hyperbrowser/header_utils.py
@@ -5,6 +5,7 @@
 from .exceptions import HyperbrowserError
 
 _INVALID_HEADER_NAME_CHARACTER_PATTERN = re.compile(r"[^!#$%&'*+\-.^_`|~0-9A-Za-z]")
+_MAX_HEADER_NAME_LENGTH = 256
 
 
 def normalize_headers(
@@ -27,6 +28,10 @@ def normalize_headers(
         normalized_key = key.strip()
         if not normalized_key:
             raise HyperbrowserError("header names must not be empty")
+        if len(normalized_key) > _MAX_HEADER_NAME_LENGTH:
+            raise HyperbrowserError(
+                f"header names must be {_MAX_HEADER_NAME_LENGTH} characters or fewer"
+            )
         if _INVALID_HEADER_NAME_CHARACTER_PATTERN.search(normalized_key):
             raise HyperbrowserError(
                 "header names must contain only valid HTTP token characters"
diff --git a/tests/test_config.py b/tests/test_config.py
@@ -292,6 +292,15 @@ def test_client_config_rejects_invalid_header_name_characters():
         ClientConfig(api_key="test-key", headers={"X Trace": "value"})
 
 
+def test_client_config_rejects_overly_long_header_names():
+    long_header_name = "X-" + ("a" * 255)
+
+    with pytest.raises(
+        HyperbrowserError, match="header names must be 256 characters or fewer"
+    ):
+        ClientConfig(api_key="test-key", headers={long_header_name: "value"})
+
+
 def test_client_config_rejects_newline_header_values():
     with pytest.raises(
         HyperbrowserError, match="headers must not contain newline characters"
diff --git a/tests/test_custom_headers.py b/tests/test_custom_headers.py
@@ -52,6 +52,15 @@ def test_sync_transport_rejects_invalid_header_name_characters():
         SyncTransport(api_key="test-key", headers={"X Trace": "value"})
 
 
+def test_sync_transport_rejects_overly_long_header_names():
+    long_header_name = "X-" + ("a" * 255)
+
+    with pytest.raises(
+        HyperbrowserError, match="header names must be 256 characters or fewer"
+    ):
+        SyncTransport(api_key="test-key", headers={long_header_name: "value"})
+
+
 def test_sync_transport_rejects_header_newline_values():
     with pytest.raises(
         HyperbrowserError, match="headers must not contain newline characters"
@@ -111,6 +120,15 @@ def test_async_transport_rejects_invalid_header_name_characters():
         AsyncTransport(api_key="test-key", headers={"X Trace": "value"})
 
 
+def test_async_transport_rejects_overly_long_header_names():
+    long_header_name = "X-" + ("a" * 255)
+
+    with pytest.raises(
+        HyperbrowserError, match="header names must be 256 characters or fewer"
+    ):
+        AsyncTransport(api_key="test-key", headers={long_header_name: "value"})
+
+
 def test_async_transport_rejects_header_newline_values():
     with pytest.raises(
         HyperbrowserError, match="headers must not contain newline characters"
diff --git a/tests/test_header_utils.py b/tests/test_header_utils.py
@@ -25,6 +25,17 @@ def test_normalize_headers_rejects_empty_header_name():
         )
 
 
+def test_normalize_headers_rejects_overly_long_header_names():
+    long_header_name = "X-" + ("a" * 255)
+    with pytest.raises(
+        HyperbrowserError, match="header names must be 256 characters or fewer"
+    ):
+        normalize_headers(
+            {long_header_name: "value"},
+            mapping_error_message="headers must be a mapping of string pairs",
+        )
+
+
 def test_normalize_headers_rejects_invalid_header_name_characters():
     with pytest.raises(
         HyperbrowserError,
