Having dot in the header name

Maxim Dounin mdounin at mdounin.ru
Fri Jan 22 22:25:50 MSK 2010


On Sat, Jan 23, 2010 at 12:08:08AM +0530, Vinay Y S wrote:

> Hi,
> I see that nginx as proxy rejects headers with name like "auth.client" or
> "auth.token" (with dot in their name) and stops parsing further headers.
> Thus the request to the upstream server doesn't contain these headers. From
> the logs, it says "client sent invalid header line".
> Why is having a dot in the header name considered invalid? I searched the
> relevant RFCs (2616 and 822) and they don't seem to exclude dot. May I know
> the reason for nginx to reject headers with dot while other servers like
> Apache httpd parse headers with dot just fine.
> Also, in the nginx source I noticed a undocumented directive
> "ignore_invalid_headers" which is on by default. It when set to off, makes
> nginx passes such headers to the upstream server properly.
> Is it safe to use this directive? Are there any side-effects, performance
> issues related to using it?

Basically nginx does this because:

1. they aren't generally used (http itself only uses alphanumeric 
and "-" in headers);

2. they are likely to cause issues, including security ones, with 
translations like CGI does (X-Blah -> HTTP_X_BLAH, X_Blah -> 
HTTP_X_BLAH, X.Blah -> HTTP_X_BLAH); note that nginx itself uses 
similar translation for $http_* variables and AFAIR while passing 
headers to fastcgi backends.

As long as you are ok with the above - it should be mostly ok to 
switch off ignore_invalid_headers.

Maxim Dounin

More information about the nginx mailing list