Skip to main content

Headers Playbooks

Headers playbooks focus on testing HTTP header handling, validation, and security. These playbooks are essential for verifying header parsing, content negotiation, security header enforcement, and resilience against header-based attacks.

There are 32 headers playbooks, which can be grouped into the following categories:

Content Negotiation and HTTP Standards​

  • AcceptLanguageHeadersPlaybook: Send requests with locale Accept-Language headers
  • DummyAcceptHeadersPlaybook: Send requests with dummy Accept headers (expects 406)
  • UnsupportedAcceptHeadersPlaybook: Send requests with unsupported Accept headers (expects 406)
  • DummyContentTypeHeadersPlaybook: Send requests with dummy Content-Type headers (expects 415)
  • UnsupportedContentTypesHeadersPlaybook: Send requests with unsupported Content-Type headers (expects 415)
  • DummyContentLengthHeadersPlaybook: Send requests with dummy Content-Length headers (expects 400)
  • InvalidContentLengthHeadersPlaybook: Send requests with invalid Content-Length headers (expects 400)
  • DummyTransferEncodingHeadersPlaybook: Send requests with dummy Transfer-Encoding headers (expects 400/501)

Header Manipulation and Structure​

  • DuplicateHeadersPlaybook: Send requests with duplicate headers
  • ExtraHeadersPlaybook: Add extra 'Dochia-Fuzzy-Header' to requests
  • RemoveHeadersPlaybook: Remove different combinations of headers
  • EmptyStringsInHeadersPlaybook: Send empty values in headers
  • LargeNumberOfRandomHeadersPlaybook: Send requests with 10,000 extra random headers
  • LargeNumberOfRandomAlphanumericHeadersPlaybook: Send requests with 10,000 extra random alphanumeric headers

Unicode, Emojis, and Special Characters​

  • AbugidasInHeadersPlaybook: Send abugidas characters in headers
  • CRLFHeadersPlaybook: Send CR & LF characters in headers
  • LeadingSingleCodePointEmojisInHeadersPlaybook: Send headers with leading single codepoint emojis
  • LeadingMultiCodePointEmojisInHeadersPlaybook: Send headers with leading multi codepoint emojis
  • TrailingSingleCodePointEmojisHeadersPlaybook: Send headers with trailing single codepoint emojis
  • TrailingMultiCodePointEmojisHeadersPlaybook: Send headers with trailing multi codepoint emojis
  • OnlySingleCodePointEmojisInHeadersPlaybook: Send headers with only single codepoint emojis
  • OnlyMultiCodePointEmojisInHeadersPlaybook: Send headers with only multi codepoint emojis
  • ZalgoTextInHeadersPlaybook: Send zalgo text in headers
  • ZeroWidthCharsInNamesHeadersPlaybook: Inject zero-width characters in header names
  • ZeroWidthCharsInValuesHeadersPlaybook: Send zero-width characters in header values

Whitespace and Formatting​

  • LeadingSpacesInHeadersPlaybook: Send headers with leading spaces
  • TrailingSpacesInHeadersPlaybook: Send headers with trailing spaces
  • OnlySpacesInHeadersPlaybook: Send headers with only spaces

Size Stress Testing​

  • VeryLargeStringsInHeadersPlaybook: Send very large values in headers
  • VeryLargeUnicodeStringsInHeadersPlaybook: Send very large unicode values in headers

Security and Validation​

  • CheckSecurityHeadersPlaybook: Check responses for security header best practices
  • ResponseHeadersMatchContractHeadersPlaybook: Verify response headers match contract specifications

How to Use Headers Playbooks​

Running All Headers Playbooks​

Use the built-in flag to run only Headers playbooks:

# Run only Headers Playbooks
dochia test -c api.yml -s https://api.example.com --headers-only

# Short form
dochia test -c api.yml -s https://api.example.com -A

For completeness, you can also target other categories:

# Only Body playbooks
dochia test -c api.yml -s https://api.example.com --body-only   # or -B

# Only Fields playbooks
dochia test -c api.yml -s https://api.example.com --fields-only # or -F

Running Specific Headers Playbooks​

# Test content negotiation
dochia test -c api.yml -s https://api.example.com \
  --playbooks DummyAcceptHeadersPlaybook,UnsupportedContentTypesHeadersPlaybook,InvalidContentLengthHeadersPlaybook
# Test header security and validation
dochia test -c api.yml -s https://api.example.com \
  --playbooks CheckSecurityHeadersPlaybook,ResponseHeadersMatchContractHeadersPlaybook,CRLFHeadersPlaybook
# Stress test with large headers (use responsibly)
dochia test -c api.yml -s https://api.example.com \
  --playbooks VeryLargeStringsInHeadersPlaybook,LargeNumberOfRandomHeadersPlaybook \
  --random-headers-count 5000
# Test Unicode and special character handling
dochia test -c api.yml -s https://api.example.com \
  --playbooks ZalgoTextInHeadersPlaybook,ZeroWidthCharsInValuesHeadersPlaybook,AbugidasInHeadersPlaybook

Use Case: Security Header Validation​

Before a production release, run headers playbooks to ensure proper header handling and security controls.

# A good suite for security and standards compliance
dochia test -c api.yml -s https://api.example.com \
  --playbooks CheckSecurityHeadersPlaybook,CRLFHeadersPlaybook,DuplicateHeadersPlaybook,InvalidContentLengthHeadersPlaybook

See Also​

Detailed Guide to Headers Playbooks​

Content Negotiation and HTTP Standards​

DummyAcceptHeadersPlaybook​

  • Description: Sends requests with dummy Accept headers to test content negotiation
  • Example: Accept: application/dummy-type
  • Expected Response: 406 Not Acceptable

InvalidContentLengthHeadersPlaybook​

  • Description: Sends requests with invalid Content-Length headers to test parsing robustness
  • Example: Content-Length: invalid-number
  • Expected Response: 400 Bad Request

UnsupportedContentTypesHeadersPlaybook​

  • Description: Tests API response to unsupported content types
  • Example: Content-Type: application/unsupported-type
  • Expected Response: 415 Unsupported Media Type

Header Manipulation and Structure​

DuplicateHeadersPlaybook​

  • Description: Sends requests with duplicate headers to test parsing behavior
  • Example: Two Authorization headers in the same request
  • Purpose: Tests RFC compliance and header precedence handling

ExtraHeadersPlaybook​

  • Description: Adds unexpected headers to test header tolerance
  • Example: Dochia-Fuzzy-Header: test-value
  • Purpose: Verifies API doesn't break with unexpected headers

LargeNumberOfRandomHeadersPlaybook​

  • Description: Sends requests with thousands of random headers to test resource limits
  • Example: 10,000 headers with random names and values
  • Purpose: Tests DoS resistance and memory management

Unicode and Special Characters​

CRLFHeadersPlaybook​

  • Description: Tests header injection vulnerabilities using carriage return and line feed characters
  • Example: X-Test: value\r\nX-Injected: malicious
  • Purpose: Detects header injection vulnerabilities

ZalgoTextInHeadersPlaybook​

  • Description: Tests headers with zalgo text (combining characters)
  • Example: X-Test: HΜΈΜ‘ΜͺΜ―Ν¨ΝŠΜ½Μ…ΜΎΜŽΘ¨Μ¬Μ©ΜΎΝ›ΝͺΜˆΜΜ€ΜΝ˜
  • Purpose: Tests Unicode handling and rendering safety

ZeroWidthCharsInNamesHeadersPlaybook​

  • Description: Injects zero-width characters in header names to test parsing
  • Example: X-Teβ€Œst: value (contains zero-width non-joiner)
  • Purpose: Tests header name parsing and normalization

Security and Validation​

CheckSecurityHeadersPlaybook​

  • Description: Validates presence of security headers in responses
  • Checks: X-Frame-Options, Content-Security-Policy, X-Content-Type-Options, etc.
  • Purpose: Ensures security best practices are implemented

ResponseHeadersMatchContractHeadersPlaybook​

  • Description: Verifies response headers match OpenAPI contract specifications
  • Example: Checks if documented response headers are present and correctly formatted
  • Purpose: Ensures API contract compliance