Rule Definition
The risk of a header injection depends hugely on your environment. If your webserver supports something like XSendFile / X-Accel, an attacker could potentially access arbitrary files on the systems. If your system does not do that, there may be other concerns, such as: - Cookie Injection - Open Redirects - Proxy Cache Poisoning

Remediation
Make sure only the value and not the key can be set by an attacker. (e.g. header('Location: ' . $_GET['target']);) Verify the set values are sensible. Consider using an allow list. (e.g. for redirections)

Violation Code Sample

<?php

function sendHeader(PDOStatement $stmt) {
    $stmt->execute();
    $row = $stmt->fetch();
    $header = $row["header"];
    header($header);                                      // VIOLATION
}

Fixed Code Sample

<?php

/**
* @psalm-taint-escape header
*/
function my_escaping_function_for_headers(string input) : string {
    // Check that input is part of a hard-coded white-list of permitted headers
};

function sendHeader(PDOStatement $stmt) {
    $stmt->execute();
    $row = $stmt->fetch();
    $header = $row["header"];
    $header = my_escaping_function_for_headers($header);  // USE A FUNCTION ANNOTATED WITH @psalm-taint-escape header
    header($header);                                      // FIXED
}

Unvalidated Redirects and Forwards Cheat Sheet https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html OWASP Wiki for Cache Poisoning https://owasp.org/www-community/attacks/Cache_Poisoning CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') https://cwe.mitre.org/data/definitions/113.html CWE-601: URL Redirection to Untrusted Site ('Open Redirect') https://cwe.mitre.org/data/definitions/601.html CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax https://cwe.mitre.org/data/definitions/644.html