标头键值中的无效字符


HTTP/2 实现比 HTTP/1 实现更严格地处理 HTTP 标头名称和值中的无效字符。

标头字段名称不区分大小写,并严格作为小写字符串通过网络传输。 Node.js 提供的 API 允许将标头名称设置为混合大小写字符串(例如 Content-Type),但会在传输时将其转换为小写(例如 content-type)。

标头字段名称必须仅包含以下一个或多个 ASCII 字符:a-zA-Z0-9!#$%&'*+-.^_` (反引号)、|、以及 ~

在 HTTP 标头字段名称中使用无效字符将导致流关闭并报告协议错误。

根据 HTTP 规范的要求,标头字段值的处理更为宽松,但不应包含换行符或回车符,并且仅限于 US-ASCII 字符。

The HTTP/2 implementation applies stricter handling of invalid characters in HTTP header names and values than the HTTP/1 implementation.

Header field names are case-insensitive and are transmitted over the wire strictly as lower-case strings. The API provided by Node.js allows header names to be set as mixed-case strings (e.g. Content-Type) but will convert those to lower-case (e.g. content-type) upon transmission.

Header field-names must only contain one or more of the following ASCII characters: a-z, A-Z, 0-9, !, #, $, %, &, ', *, +, -, ., ^, _, ` (backtick), |, and ~.

Using invalid characters within an HTTP header field name will cause the stream to be closed with a protocol error being reported.

Header field values are handled with more leniency but should not contain new-line or carriage return characters and should be limited to US-ASCII characters, per the requirements of the HTTP specification.