<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/>
<title>AJ Security/Prevent CRLF Attacks</title>
<meta name="description" content="A Practical Java Web Security Library. Prevent CRLF Attacks/Prevent Cookie Injection Attacks"/>
<meta name="keywords" content="security, xss, csrf, captcha, Prevent CRLF Attacks,Prevent Cookie Injection Attacks"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<link rel="stylesheet" href="https://framework.ajaxjs.com/static/font/font.css" />
<link rel="stylesheet" href="/asset/main.css"/>
<link rel="icon" type="image/x-icon" href="https://framework.ajaxjs.com/aj-logo/logo.ico"/>
<script src="https://framework.ajaxjs.com/static/aj-docs/common.js"></script>
<script>
var userLang = navigator.language || navigator.userLanguage;
if (userLang.startsWith('zh') && location.pathname.indexOf('cn') == -1) {
confirm('欢迎!您可以改为访问中文内容。是否继续?') && location.assign('/cn');
}
var _hmt = _hmt || [];
(function() {
var hm = document.createElement("script");
hm.src = "https://hm.baidu.com/hm.js?950ba5ba1f1fe4906c3b4cf836080f03";
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(hm, s);
})();
</script>
</head>
<body>
<nav>
<div>
<div class="links">
<a href="/">🏠 Home</a>
| ⚙️ Source:
<a target="_blank" href="https://github.com/lightweight-component/aj-security">Github</a>/<a target="_blank" href="https://gitcode.com/lightweight-component/aj-security">Gitcode</a>
|
<a href="/cn">Chinese Version</a>
</div>
<h1><img src="https://framework.ajaxjs.com/aj-logo/logo.png" style="vertical-align: middle;height: 45px;margin-bottom: 6px;" /> AJ Security</h1>
<h3>User Manual</h3>
</div>
</nav>
<div>
<menu>
<ul>
<li class="selected">
<a href="/">Home</a>
</li>
<li>
<a href="/install">Installation & Configuration</a>
</li>
</ul>
<h3>HTTP Web Security</h3>
<ul>
<li>
<a href="/http/http-referer">HTTP Referer Validation</a>
</li>
<li>
<a href="/http/timestamp">Timestamp Encrypted Token Validation</a>
</li>
<li>
<a href="/http/paramssign">Parameter Signature</a>
</li>
<li>
<a href="/http/ip-list">IP Whitelist/Blacklist</a>
</li>
<li>
<a href="/http/nonrepeatsubmit">Prevent Duplicate Submission</a>
</li>
</ul>
<h3>General Web Validation</h3>
<ul>
<li>
<a href="/classic/xss">Prevent XSS Attacks</a>
</li>
<li>
<a href="/classic/crlf">Prevent CRLF Attacks</a>
</li>
</ul>
<h3>Captcha Mechanism</h3>
<ul>
<li><a href="/captcha/img-captcha">Image Captcha</a></li>
<li><a href="/captcha/google">Google-based Captcha</a></li>
<li><a href="/captcha/cf">CloudFlare-based Captcha</a></li>
</ul>
<h3>HTTP Standard Authentication</h3>
<ul>
<li><a href="/auth/http-basic-auth">HTTP Basic Auth</a></li>
<li><a href="/auth/http-digest-auth">HTTP Digest Auth</a></li>
</ul>
<h3>API Features</h3>
<ul>
<li><a href="/api/limit">Rate Limiting</a></li>
</ul>
<h3>Other Practical Features</h3>
<ul>
<li><a href="/misc/desensitize">Field Desensitization</a></li>
<li><a href="/misc/encryption-api">API Encryption</a></li>
<li><a href="/misc/trace-id">Trace Tracking</a></li>
</ul>
</menu>
<article>
<h1>Prevent CRLF Attacks</h1>
<p>CRLF (Carriage Return Line Feed) attacks are a type of vulnerability in web applications that exploit HTTP header
injection. By inserting special characters <code>(\r\n)</code>, attackers can manipulate HTTP response headers. Attackers use CRLF
injection to terminate existing HTTP headers and insert new header fields, or even construct new HTTP responses.</p>
<p>To prevent CRLF attacks, it's essential to strictly validate and filter user inputs, prohibiting <code>\r</code> and <code>\n</code>.</p>
<h2>Configuration</h2>
<p>First, ensure the filter is enabled by setting <code>enabled: true</code>, and then enable <code>crlfCheck</code> to activate detection.</p>
<pre><code class="language-yaml">security:
web: # General attack prevention
enabled: true
crlfCheck: true # Prevent CRLF attacks
</code></pre>
<h1>Prevent Cookie Injection Attacks</h1>
<p>In certain cases, attackers may attempt to inject excessive data into cookies to pollute the application's state or
cause system anomalies. Checking cookie size can limit the cookie content's capacity and reduce the likelihood of
attackers injecting large amounts of data.</p>
<h2>Configuration</h2>
<p>First, ensure the filter is enabled by setting <code>enabled: true</code>, then enable <code>cookiesSizeCheck</code> to activate detection,
and finally set <code>maxCookieSize</code> to define the maximum cookie size.</p>
<pre><code class="language-yaml">security:
web: # General attack prevention
enabled: true
cookiesSizeCheck: true # Prevent Cookie Injection Attacks
maxCookieSize: 1 # Maximum size of a single cookie, unit: KB
</code></pre>
</article>
</div>
<footer>
AJ Security, a part of
<a href="https://framework.ajaxjs.com" target="_blank">AJ-Framework</a>
open source. Mail:frank@ajaxjs.com, visit
<a href="https://blog.csdn.net/zhangxin09" target="_blank">my blog(In Chinese)</a>. <br/> <br/> Copyright © 2025 Frank Cheung. All rights reserved.
</footer>
</body>
</html>
