Module de.cuioss.http

Package de.cuioss.http.security.pipeline

Class HTTPHeaderValidationPipeline

java.lang.Object

de.cuioss.http.security.pipeline.AbstractValidationPipeline

de.cuioss.http.security.pipeline.HTTPHeaderValidationPipeline

All Implemented Interfaces:

HttpSecurityValidator

public final class HTTPHeaderValidationPipeline
extends AbstractValidationPipeline

Sequential validation pipeline specifically for HTTP header components.

Validation Sequence

1. Length Validation - Enforces maximum header length limits
2. Character Validation - Validates RFC 7230 header characters
3. Normalization - Header normalization and security checks
4. Pattern Matching - Detects injection attacks and suspicious patterns

Design Principles

• Sequential Execution - Each stage processes the output of the previous stage
• Early Termination - Pipeline stops on first security violation
• Security First - Validates before any transformation
• Immutable - Thread-safe pipeline instance

HTTP Header Security

• Header Injection Prevention - Detects CRLF injection attempts
• RFC 7230 Compliance - Enforces HTTP header character restrictions
• Length Limits - Prevents header-based DoS attacks
• Pattern Detection - Identifies malicious header values

Usage Example

 SecurityConfiguration config = SecurityConfiguration.defaults();
 SecurityEventCounter counter = new SecurityEventCounter();

 HTTPHeaderValidationPipeline pipeline = new HTTPHeaderValidationPipeline(config, counter);

 try {
     String safeHeader = pipeline.validate("Bearer eyJhbGciOiJIUzI1NiJ9...");
     // Use safeHeader for processing
 } catch (UrlSecurityException e) {
     // Handle security violation
     log.warn("Header validation failed: {}", e.getMessage());
 }
 

Implements: Task P3 from HTTP verification specification

Since:

1.0

Field Summary

Fields inherited from class de.cuioss.http.security.pipeline.AbstractValidationPipeline

eventCounter, stages

Constructor Summary

Constructors

Constructor	Description
HTTPHeaderValidationPipeline(SecurityConfiguration config, SecurityEventCounter eventCounter, ValidationType validationType)	Creates a new HTTP header validation pipeline with the specified configuration.

Method Summary

Modifier and Type	Method	Description
ValidationType	getValidationType()	Returns the validation type handled by this pipeline.

Methods inherited from class de.cuioss.http.security.pipeline.AbstractValidationPipeline

validate

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface de.cuioss.http.security.core.HttpSecurityValidator

andThen, compose, when

Constructor Details

HTTPHeaderValidationPipeline

public HTTPHeaderValidationPipeline(SecurityConfiguration config,
 SecurityEventCounter eventCounter,
 ValidationType validationType)

Creates a new HTTP header validation pipeline with the specified configuration. The pipeline can be configured for either header names or header values.

Parameters:

config - The security configuration to use

eventCounter - The counter for tracking security events

validationType - The type of header component to validate (HEADER_NAME or HEADER_VALUE)

Throws:

NullPointerException - if config, eventCounter, or validationType is null

IllegalArgumentException - if validationType is not a header type

Method Details

getValidationType

public ValidationType getValidationType()

Description copied from class: AbstractValidationPipeline

Returns the validation type handled by this pipeline.

Specified by:

getValidationType in class AbstractValidationPipeline

Returns:

The validation type for this pipeline