Mongoose does not sufficiently validate request headers in 2 ways:

1. The RFCs specify that empty header names are invalid. Mongoose should therefore reject requests with empty header names.
2. The RFCs specify that header names may contain only alphanumerics and a few other unreserved characters (see RFC 9110 section 5.6.2) Mongoose allows the following reserved characters within header names: ", (, ), ,, /, ;, <, =, >, ?, @, [, \, ], {, }, and the range \xc0-\xef.

Mongoose already rejects empty header names:

W.r.t. header names containing only certain characters: we do not see any issue with allowing any valid utf-8 character. Mongoose does not strictly follow the RFC, that has never been the goal.

Mongoose already rejects empty header names:

Wow; something must have been wrong with my testing code. Sorry for the hassle.

we do not see any issue with allowing any valid utf-8 character. Mongoose does not strictly follow the RFC, that has never been the goal.

That's a fair assessment, but you should be aware that \xc0-\xef are not valid UTF-8 sequences because they are unpaired surrogates.

@kenballus that's a fair point about \xc0-\xef, I'll take a look!

Pushed bd53e46 to disallow invalid utf-8 in method, uri, header names.
Allow invalid utf-8 in header values and protocol