15 tests demonstrate Content-Type checking, required headers, and header injection prevention.
Headers are defined in the OpenAPI specification with security requirements:
# openapi.yaml
components:
securitySchemes:
ApiKeyAuth:
type: apiKey
in: header
name: X-API-Key
paths:
/users:
post:
security:
- ApiKeyAuth: []
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/User'curl -X POST \
-H "X-API-Key: valid-key-123" \
-H "Content-Type: application/json" \
-d '{"name": "John"}' \
http://localhost:8080/usersRequests with correct Content-Type (application/json) matching the OpenAPI spec are processed.
curl -X GET http://localhost:8080/usersHTTP/1.1 401 Unauthorized
Content-Type: application/json
{"error": "Missing required header", "header": "X-API-Key"}Requests without required authentication headers are rejected with 401 Unauthorized.
curl -X POST -H "X-API-Key: valid-key" \
-H "Content-Type: text/xml" \
-d 'John HTTP/1.1 415 Unsupported Media TypeContent-Type must match what is defined in the OpenAPI spec. XML is rejected when only JSON is accepted.
curl -H $'X-Custom: value\r\nX-Injected: malicious' http://localhost:8080/usersHTTP/1.1 400 Bad Request
{"error": "Header injection detected", "code": "CRLF_INJECTION_BLOCKED"}CRLF injection attempts in headers are detected and blocked to prevent HTTP response splitting attacks.
curl -H "X-API-Key: ' OR '1'='1" http://localhost:8080/usersSQL injection patterns in header values are detected and blocked.