How does `http::HeaderValue::from_str` validate header values against HTTP specifications?

http::HeaderValue::from_str validates that the input string contains only valid HTTP header value characters according to RFC 7230, returning an error if the string contains invalid bytes. Valid header values are restricted to visible ASCII characters (0x21-0x7E), space (0x20), and horizontal tab (0x09)—control characters and non-ASCII bytes are forbidden. The method also allows obs-fold sequences (CRLF followed by space or tab) in specific contexts, though modern HTTP discourages their use. The validation ensures that the resulting HeaderValue can be safely transmitted over HTTP without encoding issues, as HTTP/1.1 headers are transmitted as ASCII text and intermediaries may reject malformed values.

What is a HeaderValue?

use http::HeaderValue;
 
// HeaderValue represents a valid HTTP header value
// It's a thin wrapper around bytes guaranteed to be valid
 
// Create from static string (compile-time validation)
let content_type = HeaderValue::from_static("application/json");
 
// Create from dynamic string (runtime validation)
let custom = HeaderValue::from_str("text/html; charset=utf-8").unwrap();
 
// Header values can also be created from bytes
let bytes = HeaderValue::from_bytes(b"valid value").unwrap();

HeaderValue is a type that guarantees its contents are valid for HTTP headers.

Basic Validation with from_str

use http::HeaderValue;
 
fn main() {
    // Valid: printable ASCII
    let valid = HeaderValue::from_str("application/json").unwrap();
    println!("Valid: {:?}", valid);
    
    // Valid: contains space
    let with_space = HeaderValue::from_str("text/html; charset=utf-8").unwrap();
    println!("With space: {:?}", with_space);
    
    // Valid: contains tab
    let with_tab = HeaderValue::from_str("value\twith\ttab").unwrap();
    println!("With tab: {:?}", with_tab);
    
    // Invalid: contains newline
    let result = HeaderValue::from_str("invalid\nvalue");
    match result {
        Ok(_) => println!("Unexpected success"),
        Err(e) => println!("Error: {}", e), // Invalid header value
    }
    
    // Invalid: contains control character
    let result2 = HeaderValue::from_str("invalid\x01value");
    match result2 {
        Ok(_) => println!("Unexpected success"),
        Err(e) => println!("Error: {}", e),
    }
}

from_str validates at runtime, returning Result<HeaderValue, InvalidHeaderValue>.

Valid Characters According to RFC 7230

use http::HeaderValue;
 
fn main() {
    // RFC 7230 defines valid header value characters:
    // - VCHAR: visible ASCII (0x21-0x7E)
    // - SP: space (0x20)
    // - HTAB: horizontal tab (0x09)
    // - obs-fold: CRLF followed by SP or HTAB (deprecated)
    
    // Visible ASCII characters (printable, no control chars)
    let visible = HeaderValue::from_str("!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~").unwrap();
    println!("All visible ASCII works");
    
    // Space (0x20) is allowed
    let spaces = HeaderValue::from_str("value with spaces").unwrap();
    
    // Horizontal tab (0x09) is allowed
    let tabs = HeaderValue::from_str("value\twith\ttabs").unwrap();
    
    // Control characters (0x00-0x1F except HTAB) are forbidden
    // NUL, CR, LF, etc.
    assert!(HeaderValue::from_str("bad\x00value").is_err()); // NUL
    assert!(HeaderValue::from_str("bad\rvalue").is_err());   // CR
    assert!(HeaderValue::from_str("bad\nvalue").is_err());   // LF
    assert!(HeaderValue::from_str("bad\x1Fvalue").is_err()); // Unit Separator
    
    // DEL (0x7F) is also forbidden
    assert!(HeaderValue::from_str("bad\x7Fvalue").is_err()); // DEL
    
    // Non-ASCII bytes (> 0x7F) are forbidden in from_str
    assert!(HeaderValue::from_str("café").is_err()); // é is non-ASCII
}

The validation follows HTTP/1.1 specifications for header field values.

Handling Validation Errors

use http::HeaderValue;
 
fn validate_header_value(input: &str) -> Result<HeaderValue, String> {
    HeaderValue::from_str(input).map_err(|e| {
        format!("Invalid header value '{}': {}", input, e)
    })
}
 
fn main() {
    // Safe validation with error context
    match validate_header_value("valid-value") {
        Ok(value) => println!("Valid: {}", value),
        Err(e) => println!("Error: {}", e),
    }
    
    match validate_header_value("invalid\nvalue") {
        Ok(value) => println!("Valid: {}", value),
        Err(e) => println!("Error: {}", e),
    }
}

The error type InvalidHeaderValue implements Display for error messages.

from_str vs from_bytes

use http::HeaderValue;
 
fn main() {
    // from_str: validates UTF-8 and HTTP validity
    // Rejects non-ASCII bytes
    let str_result = HeaderValue::from_str("value");
    println!("from_str valid: {:?}", str_result.is_ok());
    
    // from_bytes: only validates HTTP validity
    // Allows any bytes that are valid for HTTP (including non-UTF-8)
    let bytes_result = HeaderValue::from_bytes(b"value");
    println!("from_bytes valid: {:?}", bytes_result.is_ok());
    
    // from_bytes allows non-UTF-8 sequences that are HTTP-valid
    // (though such usage is unusual and typically indicates binary data)
    let binary_result = HeaderValue::from_bytes(&[0x20, 0x21, 0x22]);
    println!("from_bytes binary: {:?}", binary_result.is_ok());
    
    // Both reject control characters
    assert!(HeaderValue::from_bytes(b"bad\nvalue").is_err());
    assert!(HeaderValue::from_str("bad\nvalue").is_err());
}

from_str validates UTF-8 encoding plus HTTP validity; from_bytes only validates HTTP validity.

from_static for Compile-Time Validation

use http::HeaderValue;
 
fn main() {
    // from_static validates at compile time
    // Panics if invalid (shouldn't happen for known-good constants)
    const CONTENT_TYPE_JSON: HeaderValue = HeaderValue::from_static("application/json");
    
    // Useful for known constants
    let content_length = HeaderValue::from_static("0");
    let connection = HeaderValue::from_static("keep-alive");
    
    // Compile-time check ensures these are always valid
    // No runtime overhead for validation
}

from_static is const and validates at compile time for known-good values.

Obs-Fold Handling

use http::HeaderValue;
 
fn main() {
    // RFC 7230 allows "obs-fold" (obsolete line folding)
    // CRLF followed by at least one SP or HTAB
    // This is deprecated but still accepted
    
    // Modern usage: single line
    let modern = HeaderValue::from_str("value one two three").unwrap();
    
    // Obs-fold form (historically valid)
    // In practice, most implementations convert to spaces
    // Note: from_str may or may not accept this depending on version
    // Let's check:
    
    let with_fold = "value\r\n one";
    match HeaderValue::from_str(with_fold) {
        Ok(v) => println!("Obs-fold accepted: {:?}", v),
        Err(e) => println!("Obs-fold rejected: {}", e),
    }
}

Obs-fold is a deprecated legacy feature for multi-line header values.

Common Header Value Patterns

use http::HeaderValue;
 
fn main() {
    // Content-Type
    let content_type = HeaderValue::from_str("application/json; charset=utf-8").unwrap();
    
    // Content-Length (numeric)
    let content_length = HeaderValue::from_str("12345").unwrap();
    
    // Cache-Control
    let cache_control = HeaderValue::from_str("max-age=3600, public").unwrap();
    
    // Authorization (Bearer token)
    let auth = HeaderValue::from_str("Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9").unwrap();
    
    // User-Agent
    let user_agent = HeaderValue::from_str("Mozilla/5.0 (compatible; MyBot/1.0)").unwrap();
    
    // Custom headers must also follow the rules
    let custom = HeaderValue::from_str("X-Custom-Header-Value").unwrap();
}

All standard headers follow the same validation rules.

Invalid Characters in Practice

use http::HeaderValue;
 
fn main() {
    // Common invalid characters that cause validation to fail:
    
    // 1. Newlines (CRLF injection prevention)
    assert!(HeaderValue::from_str("value\nwith\nnewlines").is_err());
    assert!(HeaderValue::from_str("value\r\nwith\r\ncrlf").is_err());
    
    // 2. Null bytes
    assert!(HeaderValue::from_str("value\x00null").is_err());
    
    // 3. Non-ASCII characters (UTF-8 but outside ASCII)
    assert!(HeaderValue::from_str("café").is_err());        // é = 0xC3 0xA9
    assert!(HeaderValue::from_str("日本語").is_err());      // Japanese chars
    assert!(HeaderValue::from_str("emoji 😀").is_err());   // Emoji
    
    // 4. Other control characters
    assert!(HeaderValue::from_str("value\x01control").is_err()); // SOH
    assert!(HeaderValue::from_str("value\x02control").is_err()); // STX
    assert!(HeaderValue::from_str("value\x1bcontrol").is_err()); // ESC
    
    // 5. DEL character
    assert!(HeaderValue::from_str("value\x7f").is_err());
}

These restrictions prevent header injection attacks and ensure HTTP compatibility.

Converting Invalid Values

use http::HeaderValue;
 
fn safe_header_value(input: &str) -> HeaderValue {
    // If valid, use directly
    if let Ok(value) = HeaderValue::from_str(input) {
        return value;
    }
    
    // If invalid, we need to decide how to handle:
    
    // Option 1: percent-encode (depends on context)
    // Not directly supported by http crate
    
    // Option 2: Base64 encode for binary data
    let encoded = base64_encode(input);
    HeaderValue::from_str(&encoded).unwrap()
    
    // Option 3: Use percent encoding for URLs in headers
    // Use url::percent_encode for URL encoding
    
    // Option 4: Use from_bytes if you have controlled binary data
    // Only for valid HTTP bytes, not arbitrary binary
}
 
fn base64_encode(input: &str) -> String {
    use base64::{Engine as _, engine::general_purpose};
    general_purpose::STANDARD.encode(input.as_bytes())
}

When dealing with potentially invalid values, you must sanitize or encode.

Encoding Non-ASCII Values

use http::HeaderValue;
 
fn main() {
    // Non-ASCII values need encoding before use
    
    // For Content-Disposition filenames with Unicode:
    // RFC 6266 specifies the encoding
    
    // Option 1: Percent encode (URL encoding)
    fn percent_encode_filename(filename: &str) -> String {
        use url::percent_encoding::{percent_encode, NON_ALPHANUMERIC};
        percent_encode(filename.as_bytes(), NON_ALPHANUMERIC).to_string()
    }
    
    // Option 2: Base64 for binary data
    fn base64_encode_value(data: &[u8]) -> String {
        use base64::{Engine as _, engine::general_purpose};
        general_purpose::STANDARD.encode(data)
    }
    
    // Option 3: RFC 5987 encoding for Content-Disposition
    fn rfc5987_encode(value: &str) -> String {
        // Format: charset'lang'encoded-value
        // Example: UTF-8''%E6%97%A5%E6%9C%AC%E8%AA%9E
        format!("UTF-8''{}", 
            url::percent_encoding::percent_encode(value.as_bytes(), 
                url::percent_encoding::NON_ALPHANUMERIC))
    }
    
    // After encoding, the result should be valid ASCII
    let encoded = base64_encode_value("binary\x00data".as_bytes());
    let header_value = HeaderValue::from_str(&encoded).unwrap();
}

Encode non-ASCII or binary values to ASCII before creating header values.

Using HeaderValue with HeaderMap

use http::{HeaderMap, HeaderName, HeaderValue};
 
fn main() {
    let mut headers = HeaderMap::new();
    
    // Create headers with validated values
    headers.insert(
        HeaderName::from_static("content-type"),
        HeaderValue::from_static("application/json"),
    );
    
    headers.insert(
        HeaderName::from_static("content-length"),
        HeaderValue::from_str("12345").unwrap(),
    );
    
    // Dynamic values need validation
    let user_agent = format!("MyApp/{}", "1.0.0");
    headers.insert(
        HeaderName::from_static("user-agent"),
        HeaderValue::from_str(&user_agent).unwrap(),
    );
    
    // Accessing header values
    if let Some(content_type) = headers.get("content-type") {
        println!("Content-Type: {}", content_type.to_str().unwrap());
    }
}
 
// Helper to safely add headers
fn add_header(
    headers: &mut HeaderMap,
    name: &str,
    value: &str
) -> Result<(), String> {
    let header_name = HeaderName::from_static(name);
    let header_value = HeaderValue::from_str(value)
        .map_err(|e| format!("Invalid header value: {}", e))?;
    headers.insert(header_name, header_value);
    Ok(())
}

HeaderMap stores HeaderValue instances, ensuring all values are pre-validated.

to_str for Safe Conversion Back

use http::HeaderValue;
 
fn main() {
    let value = HeaderValue::from_str("application/json").unwrap();
    
    // to_str converts back to &str
    // Returns Result because even valid HTTP bytes might not be valid UTF-8
    // (though from_str guarantees UTF-8, from_bytes might not)
    let s = value.to_str().unwrap();
    println!("Value as str: {}", s);
    
    // to_bytes for raw access
    let bytes = value.as_bytes();
    println!("Value as bytes: {:?}", bytes);
    
    // as_str for known-safe values (from_static)
    // Only use when you're certain the value came from from_static or from_str
}

to_str() safely converts back to a string reference when possible.

Security Implications

use http::HeaderValue;
 
fn main() {
    // Header injection attacks are prevented by validation
    
    // Attacker tries to inject new header via value
    let malicious = "application/json\r\nX-Injected: malicious";
    
    // This fails validation
    assert!(HeaderValue::from_str(malicious).is_err());
    
    // The CR and LF characters are rejected
    
    // Without validation, an attacker could:
    // HTTP/1.1 200 OK
    // Content-Type: application/json
    // X-Injected: malicious   <- injected!
    
    // Always validate untrusted input:
    fn safe_from_user_input(input: &str) -> Option<HeaderValue> {
        // Reject if contains control characters
        if input.chars().any(|c| c.is_control() && c != '\t') {
            return None;
        }
        HeaderValue::from_str(input).ok()
    }
}

Validation prevents header injection and request smuggling attacks.

Comparison with Other Validation Approaches

use http::HeaderValue;
 
fn main() {
    // Manual validation (error-prone)
    fn manual_validate(value: &str) -> bool {
        value.chars().all(|c| {
            c.is_ascii_graphic() || c == ' ' || c == '\t'
        })
    }
    
    // Problem: doesn't catch all edge cases
    // Problem: doesn't handle obs-fold
    // Problem: different interpretations of "valid"
    
    // Using HeaderValue::from_str
    // - Follows RFC 7230 precisely
    // - Handles all edge cases
    // - Consistent with other HTTP libraries
    // - Returns meaningful error
    
    // Example:
    let test_value = "application/json";
    
    // Manual might miss edge cases
    assert!(manual_validate(test_value));
    
    // HeaderValue is authoritative
    assert!(HeaderValue::from_str(test_value).is_ok());
}

Using HeaderValue::from_str ensures RFC-compliant validation.

Real-World Example: Building HTTP Response Headers

use http::{HeaderValue, HeaderMap, HeaderName};
 
fn build_response_headers(
    content_type: &str,
    content_length: u64,
    custom_headers: Vec<(&str, &str)>
) -> Result<HeaderMap, String> {
    let mut headers = HeaderMap::new();
    
    // Standard headers
    headers.insert(
        HeaderName::from_static("content-type"),
        HeaderValue::from_str(content_type)
            .map_err(|e| format!("Invalid content-type: {}", e))?
    );
    
    headers.insert(
        HeaderName::from_static("content-length"),
        HeaderValue::from_str(&content_length.to_string()).unwrap()
    );
    
    // Custom headers - validate each
    for (name, value) in custom_headers {
        let header_name = HeaderName::from_bytes(name.as_bytes())
            .map_err(|e| format!("Invalid header name '{}': {}", name, e))?;
        let header_value = HeaderValue::from_str(value)
            .map_err(|e| format!("Invalid header value for '{}': {}", name, e))?;
        headers.insert(header_name, header_value);
    }
    
    Ok(headers)
}
 
fn main() {
    match build_response_headers(
        "application/json",
        12345,
        vec![
            ("X-Request-Id", "abc-123"),
            ("X-Custom", "value"),
        ]
    ) {
        Ok(headers) => println!("Headers: {:?}", headers),
        Err(e) => println!("Error: {}", e),
    }
}

Production code should always validate header values from external sources.

Real-World Example: Parsing User Input for Headers

use http::HeaderValue;
 
// Safely handle user-provided header values
fn parse_user_header_value(user_input: String) -> Result<HeaderValue, String> {
    // Trim whitespace
    let trimmed = user_input.trim();
    
    // Validate
    HeaderValue::from_str(trimmed)
        .map_err(|e| {
            format!(
                "Header value contains invalid characters. \
                 Only printable ASCII, space, and tab are allowed: {}",
                e
            )
        })
}
 
// Handle Unicode content
fn parse_filename_header(filename: &str) -> Result<HeaderValue, String> {
    // ASCII filenames can go directly
    if filename.is_ascii() {
        return HeaderValue::from_str(filename)
            .map_err(|e| e.to_string());
    }
    
    // Non-ASCII needs encoding (e.g., Content-Disposition filename)
    // Use RFC 5987 encoding
    let encoded = format!("UTF-8''{}", 
        url::percent_encoding::percent_encode(
            filename.as_bytes(),
            url::percent_encoding::NON_ALPHANUMERIC
        )
    );
    
    HeaderValue::from_str(&encoded)
        .map_err(|e| e.to_string())
}
 
fn main() {
    // Test with user input
    match parse_user_header_value("valid-value".to_string()) {
        Ok(v) => println!("Valid: {}", v),
        Err(e) => println!("Error: {}", e),
    }
    
    match parse_user_header_value("invalid\nvalue".to_string()) {
        Ok(v) => println!("Valid: {}", v),
        Err(e) => println!("Error: {}", e),
    }
}

User input must always be validated before use in headers.

Synthesis

Valid characters for HTTP header values (RFC 7230):

| Range | Characters | Allowed | |-------|------------|---------| | 0x00-0x08 | Control chars | ❌ No | | 0x09 | Horizontal tab | ✅ Yes | | 0x0A-0x1F | Control chars | ❌ No | | 0x20 | Space | ✅ Yes | | 0x21-0x7E | Printable ASCII | ✅ Yes | | 0x7F | DEL | ❌ No | | 0x80-0xFF | Non-ASCII | ❌ No (in from_str) |

Methods comparison:

| Method | Input | Validation | Use Case | |--------|-------|------------|----------| | from_static | &'static str | Compile-time | Known constants | | from_str | &str | Runtime UTF-8 + HTTP | Dynamic text | | from_bytes | &[u8] | Runtime HTTP only | Binary data | | from_name | HeaderName | — | Typed headers |

Common invalid characters:

| Character | Byte | Why invalid | |-----------|------|-------------| | NUL | 0x00 | Control character | | CR | 0x0D | Control, injection risk | | LF | 0x0A | Control, injection risk | | ESC | 0x1B | Control character | | DEL | 0x7F | Control character | | é | 0xC3 0xA9 | Non-ASCII (UTF-8) |

Key insight: http::HeaderValue::from_str enforces HTTP/1.1 header value constraints by validating that input contains only visible ASCII characters (0x21-0x7E), space (0x20), and horizontal tab (0x09)—rejecting all control characters (including newlines) and non-ASCII bytes. This validation prevents header injection attacks where malicious CR/LF characters could inject fake headers into HTTP messages. The resulting HeaderValue type is a proof of validity that can be safely inserted into HeaderMap without additional checks. For non-ASCII content like filenames in Content-Disposition, applications must encode values before validation using RFC 5987 percent-encoding or base64. The distinction between from_str (validates UTF-8 plus HTTP constraints) and from_bytes (validates HTTP constraints only) matters for binary data that might be valid for HTTP but not valid UTF-8. Compile-time validation with from_static is preferred for constant header values to eliminate runtime overhead.

Loading page…

How does http::HeaderValue::from_str validate header values against HTTP specifications?

What is a HeaderValue?

Basic Validation with from_str

Valid Characters According to RFC 7230

Handling Validation Errors

from_str vs from_bytes

from_static for Compile-Time Validation

Obs-Fold Handling

Common Header Value Patterns

Invalid Characters in Practice

Converting Invalid Values

Encoding Non-ASCII Values

Using HeaderValue with HeaderMap

to_str for Safe Conversion Back

Security Implications

Comparison with Other Validation Approaches

Real-World Example: Building HTTP Response Headers

Real-World Example: Parsing User Input for Headers

Synthesis

How does http::HeaderValue::from_str validate header values against HTTP specifications?

What is a HeaderValue?

Basic Validation with from_str

Valid Characters According to RFC 7230

Handling Validation Errors

from_str vs from_bytes

from_static for Compile-Time Validation

Obs-Fold Handling

Common Header Value Patterns

Invalid Characters in Practice

Converting Invalid Values

Encoding Non-ASCII Values

Using HeaderValue with HeaderMap

to_str for Safe Conversion Back

Security Implications

Comparison with Other Validation Approaches

Real-World Example: Building HTTP Response Headers

Real-World Example: Parsing User Input for Headers

Synthesis

How does `http::HeaderValue::from_str` validate header values against HTTP specifications?

How does `http::HeaderValue::from_str` validate header values against HTTP specifications?