Validate header names as HTTP token characters

Co-authored-by: Shri Sukhani <shrisukhani@users.noreply.github.com>

Author: cursoragent

hyperbrowser/header_utils.py

@@ -1,8 +1,11 @@
 import json
+import re
 from typing import Dict, Mapping, Optional, cast
 
 from .exceptions import HyperbrowserError
 
+_INVALID_HEADER_NAME_CHARACTER_PATTERN = re.compile(r"[^!#$%&'*+\-.^_`|~0-9A-Za-z]")
+
 
 def normalize_headers(
     headers: Optional[Mapping[str, str]],
@@ -24,6 +27,10 @@ def normalize_headers(
         normalized_key = key.strip()
         if not normalized_key:
             raise HyperbrowserError("header names must not be empty")
+        if _INVALID_HEADER_NAME_CHARACTER_PATTERN.search(normalized_key):
+            raise HyperbrowserError(
+                "header names must contain only valid HTTP token characters"
+            )
         if (
             "\n" in normalized_key
             or "\r" in normalized_key

tests/test_config.py

@@ -255,6 +255,14 @@ def test_client_config_rejects_empty_header_name():
         ClientConfig(api_key="test-key", headers={"   ": "value"})
 
 
+def test_client_config_rejects_invalid_header_name_characters():
+    with pytest.raises(
+        HyperbrowserError,
+        match="header names must contain only valid HTTP token characters",
+    ):
+        ClientConfig(api_key="test-key", headers={"X Trace": "value"})
+
+
 def test_client_config_rejects_newline_header_values():
     with pytest.raises(
         HyperbrowserError, match="headers must not contain newline characters"

tests/test_custom_headers.py

@@ -40,6 +40,14 @@ def test_sync_transport_rejects_empty_header_name():
         SyncTransport(api_key="test-key", headers={"   ": "value"})
 
 
+def test_sync_transport_rejects_invalid_header_name_characters():
+    with pytest.raises(
+        HyperbrowserError,
+        match="header names must contain only valid HTTP token characters",
+    ):
+        SyncTransport(api_key="test-key", headers={"X Trace": "value"})
+
+
 def test_sync_transport_rejects_header_newline_values():
     with pytest.raises(
         HyperbrowserError, match="headers must not contain newline characters"
@@ -87,6 +95,14 @@ def test_async_transport_rejects_empty_header_name():
         AsyncTransport(api_key="test-key", headers={"   ": "value"})
 
 
+def test_async_transport_rejects_invalid_header_name_characters():
+    with pytest.raises(
+        HyperbrowserError,
+        match="header names must contain only valid HTTP token characters",
+    ):
+        AsyncTransport(api_key="test-key", headers={"X Trace": "value"})
+
+
 def test_async_transport_rejects_header_newline_values():
     with pytest.raises(
         HyperbrowserError, match="headers must not contain newline characters"

tests/test_header_utils.py

@@ -25,6 +25,17 @@ def test_normalize_headers_rejects_empty_header_name():
         )
 
 
+def test_normalize_headers_rejects_invalid_header_name_characters():
+    with pytest.raises(
+        HyperbrowserError,
+        match="header names must contain only valid HTTP token characters",
+    ):
+        normalize_headers(
+            {"X Trace Id": "value"},
+            mapping_error_message="headers must be a mapping of string pairs",
+        )
+
+
 def test_normalize_headers_rejects_duplicate_names_after_normalization():
     with pytest.raises(
         HyperbrowserError,
@@ -73,6 +84,14 @@ def test_parse_headers_env_json_rejects_non_mapping_payload():
         parse_headers_env_json('["bad"]')
 
 
+def test_parse_headers_env_json_rejects_invalid_header_name_characters():
+    with pytest.raises(
+        HyperbrowserError,
+        match="header names must contain only valid HTTP token characters",
+    ):
+        parse_headers_env_json('{"X Trace Id":"abc123"}')
+
+
 def test_normalize_headers_rejects_control_characters():
     with pytest.raises(
         HyperbrowserError, match="headers must not contain control characters"