HTTP/2 header contains an invalid value

Q: How to fix Node.js ERR_HTTP2_INVALID_HEADER_VALUE HTTP/2 header contains an invalid value?

Sanitise header values: HTTP/2 header values must not contain NUL, CR, or LF per RFC 7540 §8.1.2.6. Stripping them before use prevents the error.

Quick Answer

Sanitise header values before setting them — strip or reject any value containing \0, \r, or \n.

Production Risk

High — this error often indicates a security risk (header injection). Sanitise all header values from external sources.

What this means

Thrown when an HTTP/2 header value contains characters that are not permitted by the HTTP/2 specification — specifically NUL bytes (\0), carriage returns (\r), or line feeds (\n).

Why it happens

1User-supplied data used directly as a header value without sanitisation
2Header value contains a NUL byte from binary data serialisation
3Header value includes a newline from multi-line user input

Fix

Sanitise header values

WHEN When setting HTTP/2 headers with any user-supplied or external data

Sanitise header values

function sanitiseHeader(value) {
  // Remove NUL, CR, LF — all disallowed in HTTP/2 header values
  return String(value).replace(/[\0\r\n]/g, '');
}

const stream = session.request({
  ':path': '/api',
  'x-custom': sanitiseHeader(userInput),
});

Why this works

HTTP/2 header values must not contain NUL, CR, or LF per RFC 7540 §8.1.2.6. Stripping them before use prevents the error.

What not to do

✕ Set header values from user input without sanitisation

Unsanitised user input can contain newlines, enabling HTTP header injection attacks.

Same error in other languages

400in HTTP→

Sources

Official documentation ↗

Node.js Error Codes Documentation

Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev

At a glance