1) Fixed typo

2) Made the headers and status_code follow RFC 9110
3) Fixed corresponding tests

Signed-off-by: Jitesh Nair <jiteshnair@ibm.com>

Author: ja8zyjits

mcpgateway/main.py

@@ -33,6 +33,7 @@
 from functools import lru_cache
 import hashlib
 import html
+import re
 import sys
 from typing import Any, AsyncIterator, Dict, List, Optional, Union
 from urllib.parse import urlparse, urlunparse
@@ -87,7 +88,7 @@
 from mcpgateway.middleware.validation_middleware import ValidationMiddleware
 from mcpgateway.observability import init_telemetry
 from mcpgateway.plugins.framework import PluginError, PluginManager, PluginViolationError
-from mcpgateway.plugins.framework.constants import PLUGIN_VIOLATION_CODE_MAPPING, PluginViolationCode
+from mcpgateway.plugins.framework.constants import PLUGIN_VIOLATION_CODE_MAPPING, PluginViolationCode, VALID_HTTP_STATUS_CODES
 from mcpgateway.routers.server_well_known import router as server_well_known_router
 from mcpgateway.routers.well_known import router as well_known_router
 from mcpgateway.schemas import (
@@ -1445,6 +1446,51 @@ async def database_exception_handler(_request: Request, exc: IntegrityError):
     return ORJSONResponse(status_code=409, content=ErrorFormatter.format_database_error(exc))
 
 
+def _validate_http_headers(headers: dict[str, str]) -> Optional[dict[str, str]]:
+    """Validate headers according to RFC 9110.
+
+    Args:
+        headers: dict of headers
+
+    Returns:
+        Optional[dict[str, str]]: dictionary of valid headers
+
+    Rules enforced:
+      - Header name must match RFC 9110 'token'.
+      - No whitespace before colon (enforced by dictionary usage).
+      - Header value must not contain CTL characters (0x00–0x1F, 0x7F).
+    """
+
+    # RFC 9110 'token' definition:
+    # token = 1*tchar
+    # tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*"
+    #         / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
+    #         / DIGIT / ALPHA
+    header_key = re.compile(r"^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$")
+    validated: dict[str, str] = {}
+    for key, value in headers.items():
+        # Validate header name (RFC 9110)
+        if not re.match(header_key, key):
+            logger.warning(f"Invalid header name: {key}")
+            continue
+        # Validate header value (no CRLF)
+        if "\r" in value or "\n" in value:
+            logger.warning(f"Header value contains CRLF: {key}")
+            continue
+        # RFC 9110: Reject CTLs (0x00–0x1F, 0x7F). Allow SP (0x20) and HTAB (0x09).
+        # Further structure (quoted-string, lists, parameters) is left to higher-level parsers.
+        valid = True
+        for ch in value:
+            code = ord(ch)
+            if (0 <= code <= 31 or code == 127) and code not in (9, 32):
+                valid = False
+                break
+        if not valid:
+            continue
+        validated[key] = value
+    return validated if validated else None
+
+
 @app.exception_handler(PluginViolationError)
 async def plugin_violation_exception_handler(_request: Request, exc: PluginViolationError):
     """Handle plugins violations globally.
@@ -1506,7 +1552,7 @@ async def plugin_violation_exception_handler(_request: Request, exc: PluginViola
 
         # Use HTTP status code from violation if present (e.g., 429 for rate limiting)
         http_status = exc.violation.http_status_code if exc.violation.http_status_code else None
-        if http_status and not 400 <= http_status <= 599:
+        if http_status and not VALID_HTTP_STATUS_CODES.get(http_status):
             logger.warning(f"Invalid HTTP status code {http_status} from violation, defaulting to 200")
             http_status = None
         if not http_status:
@@ -1524,7 +1570,9 @@ async def plugin_violation_exception_handler(_request: Request, exc: PluginViola
 
     response = ORJSONResponse(status_code=http_status, content={"error": json_rpc_error.model_dump()})
     if headers:
-        response.headers.update(headers)
+        validatated_headers = _validate_http_headers(headers)
+        if validatated_headers:
+            response.headers.update(validatated_headers)
     return response
 
 

mcpgateway/plugins/framework/constants.py

@@ -10,6 +10,7 @@
 
 # Standard
 
+# Standard
 from dataclasses import dataclass
 from types import MappingProxyType
 from typing import Mapping
@@ -54,7 +55,7 @@ class PluginViolationCode:
     """
     Plugin violation codes as an immutable dataclass object.
 
-    Provide Maping for violation codes to their corresponding HTTP status codes for proper error responses.
+    Provide Mapping for violation codes to their corresponding HTTP status codes for proper error responses.
     """
 
     code: int
@@ -89,3 +90,48 @@ class PluginViolationCode:
         "PROCESSING_ERROR": PluginViolationCode(500, "PROCESSING_ERROR", "Used when processing encounters an error"),
     }
 )
+
+VALID_HTTP_STATUS_CODES: dict[int, str] = {  # RFC 9110
+    # 4xx — Client Error
+    400: "Bad Request",
+    401: "Unauthorized",
+    402: "Payment Required",
+    403: "Forbidden",
+    404: "Not Found",
+    405: "Method Not Allowed",
+    406: "Not Acceptable",
+    407: "Proxy Authentication Required",
+    408: "Request Timeout",
+    409: "Conflict",
+    410: "Gone",
+    411: "Length Required",
+    412: "Precondition Failed",
+    413: "Content Too Large",  # (was "Payload Too Large" before RFC 9110)
+    414: "URI Too Long",
+    415: "Unsupported Media Type",
+    416: "Range Not Satisfiable",
+    417: "Expectation Failed",
+    418: "(Unused)",
+    421: "Misdirected Request",
+    422: "Unprocessable Content",  # (was "Unprocessable Entity")
+    423: "Locked",
+    424: "Failed Dependency",
+    425: "Too Early",
+    426: "Upgrade Required",
+    428: "Precondition Required",
+    429: "Too Many Requests",
+    431: "Request Header Fields Too Large",
+    451: "Unavailable For Legal Reasons",
+    # 5xx — Server Error
+    500: "Internal Server Error",
+    501: "Not Implemented",
+    502: "Bad Gateway",
+    503: "Service Unavailable",
+    504: "Gateway Timeout",
+    505: "HTTP Version Not Supported",
+    506: "Variant Also Negotiates",
+    507: "Insufficient Storage",
+    508: "Loop Detected",
+    510: "Not Extended",
+    511: "Network Authentication Required",
+}

plugins/rate_limiter/rate_limiter.py

@@ -207,7 +207,7 @@ def _select_most_restrictive(
         "limited": True,
         "remaining": remaining,
         "reset_in": retry_after,
-        "dimensions": [m for _, _, _, m in allowed_dims],
+        "dimensions": {"allowed": [m for _, _, _, m in allowed_dims]},
     }
     return True, limit, remaining, reset_ts, aggregated_meta
 

tests/unit/mcpgateway/test_main.py

@@ -3383,7 +3383,7 @@ def test_plugin_violation_invalid_http_status_code_below_range(self):
         assert content["error"]["code"] == -32602
 
     def test_plugin_violation_invalid_http_status_code_above_range(self):
-        """Test that invalid HTTP status code above 599 defaults to None and uses mapping."""
+        """Test that invalid HTTP status code above 511 defaults to None and uses mapping."""
         # Standard
         import asyncio
 
@@ -3396,7 +3396,7 @@ def test_plugin_violation_invalid_http_status_code_above_range(self):
             reason="Invalid status",
             description="Status code above valid range",
             code="RATE_LIMIT",  # Has mapping to 429
-            http_status_code=600,  # Invalid: above 599
+            http_status_code=512  # Invalid: above 511
         )
         exc = PluginViolationError(message="Invalid status", violation=violation)
 
@@ -3421,7 +3421,7 @@ def test_plugin_violation_invalid_http_status_code_no_mapping_fallback(self):
             reason="Invalid status",
             description="Status code invalid, no mapping",
             code="UNKNOWN_CODE",  # Not in mapping
-            http_status_code=1000,  # Invalid: way above 599
+            http_status_code=1000,  # Invalid: way above 511
         )
         exc = PluginViolationError(message="Invalid status", violation=violation)
 
@@ -3433,7 +3433,7 @@ def test_plugin_violation_invalid_http_status_code_no_mapping_fallback(self):
         assert content["error"]["code"] == -32602
 
     def test_plugin_violation_valid_http_status_code_edge_cases(self):
-        """Test that valid edge case HTTP status codes (400, 599) are accepted."""
+        """Test that valid edge case HTTP status codes (400, 511) are accepted."""
         # Standard
         import asyncio
 
@@ -3453,16 +3453,16 @@ def test_plugin_violation_valid_http_status_code_edge_cases(self):
         result_400 = asyncio.run(plugin_violation_exception_handler(None, exc_400))
         assert result_400.status_code == 400
 
-        # Test upper boundary (599)
-        violation_599 = PluginViolation(
+        # Test upper boundary (511)
+        violation_511 = PluginViolation(
             reason="Network error",
-            description="Valid status 599",
+            description="Valid status 511",
             code="ERROR",
-            http_status_code=599,  # Valid: exactly 599
+            http_status_code=511,  # Valid: exactly 511
         )
-        exc_599 = PluginViolationError(message="Status 599", violation=violation_599)
-        result_599 = asyncio.run(plugin_violation_exception_handler(None, exc_599))
-        assert result_599.status_code == 599
+        exc_511 = PluginViolationError(message="Status 511", violation=violation_511)
+        result_511 = asyncio.run(plugin_violation_exception_handler(None, exc_511))
+        assert result_511.status_code == 511
 
     def test_plugin_exception_handler_with_full_error(self):
         """Test plugin_exception_handler with complete error details."""