We are using Fortify, which is a static code analysis tool to find vulnerabilities in your code and it's saying that code might be susceptible to malicious header injection, such as CRLF. However, it also says that "Many of today's modern application servers will prevent the injection of malicious characters into HTTP headers. For example, recent versions of Apache Tomcat will throw an IllegalArgumentException if you attempt to set a header with prohibited characters. If your application server prevents setting headers with new line characters, then your application is not vulnerable to HTTP Response Splitting."
Does tomcat prevent the injection of malicious characters into HTTP headers? We are currently using Apache Tomcat/7.0.53. Thanks! -- Sent from neither my iPhone nor my iPad.
