apple · 0xTim · Aug 13, 2025 · Aug 13, 2025 · Aug 13, 2025 · Aug 13, 2025
diff --git a/Sources/NIOHTTP1/HTTPHeaderValidator.swift b/Sources/NIOHTTP1/HTTPHeaderValidator.swift
@@ -71,9 +71,16 @@ public final class NIOHTTPResponseHeadersValidator: ChannelOutboundHandler, Remo
     }
 
     private var state: State
+    private let sendResponseOnInvalidHeader: Bool
 
     public init() {
         self.state = .validating
+        self.sendResponseOnInvalidHeader = false
+    }
+
+    public init(sendResponseOnInvalidHeader: Bool) {
+        self.state = .validating
+        self.sendResponseOnInvalidHeader = sendResponseOnInvalidHeader
     }
 
     public func write(context: ChannelHandlerContext, data: NIOAny, promise: EventLoopPromise<Void>?) {
@@ -82,6 +89,14 @@ public final class NIOHTTPResponseHeadersValidator: ChannelOutboundHandler, Remo
             if head.headers.areValidToSend {
                 context.write(data, promise: promise)
             } else {
+                // We won't write another header since we drop them going forward to write
+                // out a response if configured to do so
+                if self.sendResponseOnInvalidHeader {
+                    let headers = HTTPHeaders([("Connection", "close"), ("Content-Length", "0")])
+                    let head = HTTPResponseHead(version: .http1_1, status: .badRequest, headers: headers)
+                    context.write(Self.wrapOutboundOut(.head(head)), promise: nil)
+                    context.writeAndFlush(Self.wrapOutboundOut(.end(nil)), promise: nil)
+                }
                 self.state = .dropping
                 promise?.fail(HTTPParserError.invalidHeaderToken)
                 context.fireErrorCaught(HTTPParserError.invalidHeaderToken)

diff --git a/Sources/NIOHTTP1/HTTPPipelineSetup.swift b/Sources/NIOHTTP1/HTTPPipelineSetup.swift
@@ -913,12 +913,65 @@ extension ChannelPipeline.SynchronousOperations {
         )
     }
 
+    /// Configure a `ChannelPipeline` for use as a HTTP server.
+    ///
+    /// This function knows how to set up all first-party HTTP channel handlers appropriately
+    /// for server use. It supports the following features:
+    ///
+    /// 1. Providing assistance handling clients that pipeline HTTP requests, using the
+    ///     `HTTPServerPipelineHandler`.
+    /// 2. Supporting HTTP upgrade, using the `HTTPServerUpgradeHandler`.
+    /// 3. Providing assistance handling protocol errors.
+    /// 4. Validating outbound header fields to protect against response splitting attacks.
+    /// 5. Specifying whether the header validation should return a response
+    ///
+    /// This method will likely be extended in future with more support for other first-party
+    /// features.
+    ///
+    /// - important: This **must** be called on the Channel's event loop.
+    /// - Parameters:
+    ///   - position: Where in the pipeline to add the HTTP server handlers, defaults to `.last`.
+    ///   - pipelining: Whether to provide assistance handling HTTP clients that pipeline
+    ///         their requests. Defaults to `true`. If `false`, users will need to handle
+    ///         clients that pipeline themselves.
+    ///   - upgrade: Whether to add a `HTTPServerUpgradeHandler` to the pipeline, configured for
+    ///         HTTP upgrade. Defaults to `nil`, which will not add the handler to the pipeline. If
+    ///         provided should be a tuple of an array of `HTTPServerProtocolUpgrader` and the upgrade
+    ///         completion handler. See the documentation on `HTTPServerUpgradeHandler` for more
+    ///         details.
+    ///   - errorHandling: Whether to provide assistance handling protocol errors (e.g.
+    ///         failure to parse the HTTP request) by sending 400 errors. Defaults to `true`.
+    ///   - headerValidation: Whether to validate outbound request headers to confirm that they meet
+    ///         spec compliance. Defaults to `true`.
+    ///   - encoderConfiguration: The configuration for the ``HTTPRequestEncoder``.
+    ///   - headerValidationResponse: Whether to return a response when the header validation fails.
+    /// - Throws: If the pipeline could not be configured.
+    public func configureHTTPServerPipeline(
+        position: ChannelPipeline.SynchronousOperations.Position = .last,
+        withPipeliningAssistance pipelining: Bool = true,
+        withServerUpgrade upgrade: NIOHTTPServerUpgradeConfiguration? = nil,
+        withErrorHandling errorHandling: Bool = true,
+        withOutboundHeaderValidation headerValidation: Bool = true,
+        withEncoderConfiguration encoderConfiguration: HTTPResponseEncoder.Configuration = .init(),
+        withOutboundHeaderValidationRepsonse headerValidationResponse: Bool
+    ) throws {
+        try self._configureHTTPServerPipeline(
+            position: position,
+            withPipeliningAssistance: pipelining,
+            withServerUpgrade: upgrade,
+            withErrorHandling: errorHandling,
+            withOutboundHeaderValidation: headerValidation,
+            withOutboundHeaderValidationRepsonse: headerValidationResponse, withEncoderConfiguration: encoderConfiguration
+        )
+    }
+
     private func _configureHTTPServerPipeline(
         position: ChannelPipeline.SynchronousOperations.Position = .last,
         withPipeliningAssistance pipelining: Bool = true,
         withServerUpgrade upgrade: NIOHTTPServerUpgradeConfiguration? = nil,
         withErrorHandling errorHandling: Bool = true,
         withOutboundHeaderValidation headerValidation: Bool = true,
+        withOutboundHeaderValidationRepsonse headerValidationResponse: Bool = false,
         withEncoderConfiguration encoderConfiguration: HTTPResponseEncoder.Configuration = .init()
     ) throws {
         self.eventLoop.assertInEventLoop()
@@ -933,7 +986,7 @@ extension ChannelPipeline.SynchronousOperations {
         }
 
         if headerValidation {
-            handlers.append(NIOHTTPResponseHeadersValidator())
+            handlers.append(NIOHTTPResponseHeadersValidator(sendResponseOnInvalidHeader: headerValidationResponse))
         }
 
         if errorHandling {

diff --git a/Tests/NIOHTTP1Tests/HTTPHeaderValidationTests.swift b/Tests/NIOHTTP1Tests/HTTPHeaderValidationTests.swift
@@ -635,6 +635,59 @@ final class HTTPHeaderValidationTests: XCTestCase {
         XCTAssertEqual(maybeReceivedHeadBytes, toleratedRequestBytes)
         XCTAssertEqual(maybeReceivedTrailerBytes, toleratedTrailerBytes)
     }
+
+    func testBadRequestResponseIsReturnedIfHeadersInvalidAndConfiguredToDoSo() throws {
+        let channel = EmbeddedChannel()
+        try channel.pipeline.syncOperations.configureHTTPServerPipeline(withOutboundHeaderValidationRepsonse: true)
+        try channel.primeForResponse()
+
+        func assertReadHead(from channel: EmbeddedChannel) throws {
+            if case .head = try channel.readInbound(as: HTTPServerRequestPart.self) {
+                ()
+            } else {
+                XCTFail("Expected 'head'")
+            }
+        }
+
+        func assertReadEnd(from channel: EmbeddedChannel) throws {
+            if case .end = try channel.readInbound(as: HTTPServerRequestPart.self) {
+                ()
+            } else {
+                XCTFail("Expected 'end'")
+            }
+        }
+
+        // Read the first request.
+        try assertReadHead(from: channel)
+        try assertReadEnd(from: channel)
+        XCTAssertNil(try channel.readInbound(as: HTTPServerRequestPart.self))
+
+        // Respond with bad headers; they should cause an error and result in the rest of the
+        // response being dropped, but a fallback response being sent
+        let head = HTTPResponseHead(version: .http1_1, status: .ok, headers: [":pseudo-header": "not-here"])
+        XCTAssertThrowsError(try channel.writeOutbound(HTTPServerResponsePart.head(head)))
+
+        // We expect exactly one ByteBuffer in the output.
+        guard var written = try channel.readOutbound(as: ByteBuffer.self) else {
+            XCTFail("No writes")
+            return
+        }
+
+        XCTAssertNoThrow(XCTAssertNil(try channel.readOutbound()))
+
+        // Check the response.
+        assertResponseIs(
+            response: written.readString(length: written.readableBytes)!,
+            expectedResponseLine: "HTTP/1.1 400 Bad Request",
+            expectedResponseHeaders: ["Connection: close", "Content-Length: 0"]
+        )
+        XCTAssertThrowsError(try channel.writeOutbound(HTTPServerResponsePart.body(.byteBuffer(ByteBuffer()))))
+        XCTAssertNil(try channel.readOutbound(as: ByteBuffer.self))
+        XCTAssertThrowsError(try channel.writeOutbound(HTTPServerResponsePart.end(nil)))
+        XCTAssertNil(try channel.readOutbound(as: ByteBuffer.self))
+
+        _ = try? channel.finish()
+    }
 }
 
 extension EmbeddedChannel {