Skip to content

Add support for duplicate custom request headers #2504

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ayanrajpoot10 wants to merge 2 commits into
base: dev
Choose a base branch
from
+28 −25
Open

Add support for duplicate custom request headers #2504

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8eb7d85
refactor: change CustomHeaders to support multiple values per header
ayanrajpoot10 May 23, 2026
3735519
fix: clear existing header values before setting custom headers
ayanrajpoot10 May 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions common/httputilz/httputilz.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,8 @@ func DumpRequest(req *retryablehttp.Request) (string, error) {
}

// ParseRequest from raw string
func ParseRequest(req string, unsafe bool) (method, path string, headers map[string]string, body string, err error) {
headers = make(map[string]string)
func ParseRequest(req string, unsafe bool) (method, path string, headers map[string][]string, body string, err error) {
headers = make(map[string][]string)
reader := bufio.NewReader(strings.NewReader(req))
s, err := reader.ReadString('\n')
if err != nil {
Expand Down Expand Up @@ -68,7 +68,7 @@ func ParseRequest(req string, unsafe bool) (method, path string, headers map[str
value = strings.TrimSpace(value)
}

headers[key] = value
headers[key] = append(headers[key], value)
}

// Handle case with the full http url in path. In that case,
Expand All @@ -81,7 +81,7 @@ func ParseRequest(req string, unsafe bool) (method, path string, headers map[str
return
}
path = parts[1]
headers["Host"] = parsed.Host
headers["Host"] = []string{parsed.Host}
} else {
path = parts[1]
}
Expand Down
29 changes: 16 additions & 13 deletions common/httpx/httpx.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ type HTTPX struct {
Filters []Filter
Options *Options
htmlPolicy *bluemonday.Policy
CustomHeaders map[string]string
CustomHeaders map[string][]string
cdn *cdncheck.Client
Dialer *fastdialer.Dialer
NetworkPolicy *networkpolicy.NetworkPolicy
Expand Down Expand Up @@ -434,19 +434,22 @@ func (h *HTTPX) NewRequestWithContext(ctx context.Context, method, targetURL str
}

// SetCustomHeaders on the provided request
func (h *HTTPX) SetCustomHeaders(r *retryablehttp.Request, headers map[string]string) {
for name, value := range headers {
switch strings.ToLower(name) {
case "host":
r.Host = value
if h.Options.Unsafe {
r.Header.Set("Host", value)
func (h *HTTPX) SetCustomHeaders(r *retryablehttp.Request, headers map[string][]string) {
for name, values := range headers {
r.Header.Del(name)
for _, value := range values {
switch strings.ToLower(name) {
case "host":
r.Host = value
if h.Options.Unsafe {
r.Header.Add("Host", value)
}
case "cookie":
// cookies are set in the default branch, and reset during the follow redirect flow
fallthrough
default:
r.Header.Add(name, value)
}
case "cookie":
// cookies are set in the default branch, and reset during the follow redirect flow
fallthrough
default:
r.Header.Set(name, value)
}
}
if h.Options.RandomAgent {
Expand Down
4 changes: 2 additions & 2 deletions common/httpx/option.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ type Options struct {
Timeout time.Duration
// RetryMax is the maximum number of retries
RetryMax int
CustomHeaders map[string]string
CustomHeaders map[string][]string
// VHostSimilarityRatio 1 - 100
VHostSimilarityRatio int
FollowRedirects bool
Expand Down Expand Up @@ -90,7 +90,7 @@ func (options *Options) parseCustomCookies() {
// parse and fill the custom field
for k, v := range options.CustomHeaders {
if strings.EqualFold(k, "cookie") {
req := http.Request{Header: http.Header{"Cookie": []string{v}}}
req := http.Request{Header: http.Header{"Cookie": v}}
options.customCookies = req.Cookies()
}
}
Expand Down
12 changes: 6 additions & 6 deletions runner/runner.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,14 +30,14 @@ import (
"github.com/PuerkitoBio/goquery"
"github.com/corona10/goimagehash"
"github.com/gocarina/gocsv"
"github.com/happyhackingspace/dit"
"github.com/mfonda/simhash"
asnmap "github.com/projectdiscovery/asnmap/libs"
"github.com/projectdiscovery/fastdialer/fastdialer"
"github.com/projectdiscovery/httpx/common/authprovider"
"github.com/projectdiscovery/httpx/common/customextract"
"github.com/projectdiscovery/httpx/common/hashes/jarm"
"github.com/projectdiscovery/httpx/common/inputformats"
"github.com/happyhackingspace/dit"
"github.com/projectdiscovery/httpx/common/authprovider"
"github.com/projectdiscovery/httpx/static"
"github.com/projectdiscovery/mapcidr/asn"
"github.com/projectdiscovery/networkpolicy"
Expand Down Expand Up @@ -238,12 +238,12 @@ func New(options *Options) (*Runner, error) {
httpxOptions.Protocol = httpx.Proto(options.Protocol)

var key, value string
httpxOptions.CustomHeaders = make(map[string]string)
httpxOptions.CustomHeaders = make(map[string][]string)
for _, customHeader := range options.CustomHeaders {
tokens := strings.SplitN(customHeader, ":", two)
// rawhttp skips all checks
if options.Unsafe {
httpxOptions.CustomHeaders[customHeader] = ""
httpxOptions.CustomHeaders[customHeader] = []string{""}
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Preserve repeated identical -H entries in unsafe mode.

Line 246 still overwrites prior values for the same raw header string in unsafe mode. Repeating the exact same -H input loses duplicates.

Suggested fix 
-			httpxOptions.CustomHeaders[customHeader] = []string{""}
+			httpxOptions.CustomHeaders[customHeader] = append(httpxOptions.CustomHeaders[customHeader], "")
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@runner/runner.go` at line 246, The code currently overwrites existing entries
with httpxOptions.CustomHeaders[customHeader] = []string{""}, which drops
duplicate identical -H inputs; change it to append an empty string to the
existing slice instead (e.g. httpxOptions.CustomHeaders[customHeader] =
append(httpxOptions.CustomHeaders[customHeader], "")) so repeated identical
customHeader values are preserved in httpxOptions.CustomHeaders rather than
replaced.

continue
}

Expand All @@ -253,7 +253,7 @@ func New(options *Options) (*Runner, error) {
}
key = strings.TrimSpace(tokens[0])
value = strings.TrimSpace(tokens[1])
httpxOptions.CustomHeaders[key] = value
httpxOptions.CustomHeaders[key] = append(httpxOptions.CustomHeaders[key], value)
}
httpxOptions.SniName = options.SniName

Expand All @@ -278,7 +278,7 @@ func New(options *Options) (*Runner, error) {
scanopts.Methods = append(scanopts.Methods, rrMethod)
scanopts.RequestURI = rrPath
for name, value := range rrHeaders {
httpxOptions.CustomHeaders[name] = value
httpxOptions.CustomHeaders[name] = append(httpxOptions.CustomHeaders[name], value...)
}
scanopts.RequestBody = rrBody
options.rawRequest = string(rawRequest)
Expand Down
Loading