Activity Processors: Header Processor: Incident - Duplicate Response Header

Complexity: Informational (0.0)

Default Response: None

Cause: Secure monitors all of the response headers sent from the server to the client. According to the HTTP RFC, no server should ever provide more the one copy of a specific header. For example, servers should not send multiple "Content-Length" headers. However there are a few exceptions, such as the "Set-Cookie" header, which can be configured to allow multiples. If the server attempts to return multiple headers of the same type, which are not configured explicitly to allow duplicates, then this incident will be triggered.

Behavior: The RFC does not allow for servers to return multiple headers of the same type, with a few exceptions, such as Set-Cookie. If the server does return duplicates for a header that normally does not support duplicates, then there is either a bug in the web application, or the user has successfully executed a "Response Splitting158" attack. In either case, the service located at the URL this incident is triggered for should probably be reviewed for response splitting vulnerabilities or bugs that would cause duplicate response headers to be returned.