I saw Issue 21 about header validation, and I want to suggest additional validations. Otherwise, request smuggling vulnerabilities can arise.
The suggestions are all based on the HTTP/3 RFC specification, which refers to the HTTP/2 RFC specification (See RFC 9113 - Field Validity)

• Content-Length should be validated against the actual size of the body
• Transfer-Encoding headers can only be accepted if the value is "trailers"
• Other than rejecting uppercase letters (this is already validated), field names must not contain characters in the ranges 0x00-0x20, 0x41-0x5a, or 0x7f-0xff
• Except for pseudo-headers, headers must not contain single colons (:)
• Header values must not contain null bytes, \n (newlines) and \r (carriage returns)
• Header values must not contain \t (tabs) or spaces at the start or end

Fixed, thanks!