id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
2442	add_header unsanitized	chipus.htc@…		"Hi team,

there may be insufficient verification of the correctness of the header name or full header instruction.

In my case, the mistape was sending the wrong header name.
Example: add_header '''Permissions-Policy""''' ""accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(self), clipboard-write=(self), gamepad=(), speaker-selection=(self), conversion-measurement=(self), focus-without-user-activation=(self), hid=(self), idle-detection=(self), interest-cohort=(self), serial=(self), sync-script=(self), trust-token-redemption=(self), window-placement=(self), vertical-scroll=(self)"";



The result: 
HTTP2 stream breaks for any clients.
HTTP1.1 breaks for iPhones and may be iMacs


Best regards, Pavlo.
"	defect	closed	minor		nginx-module	1.23.x	duplicate	ngx_http_headers_module, SSL, HTTP2, HTTP1.1	chipus.htc@…	Linux XXXXXXXXXXXXXXX 6.1.8 #4 SMP PREEMPT_DYNAMIC Fri Jan 27 15:33:42 CET 2023 x86_64 x86_64 x86_64 GNU/Linux	"nginx version: nginx/1.23.3
built by gcc 12.1.1 20220628 (Red Hat 12.1.1-3) (GCC)
built with OpenSSL 3.0.1 14 Dec 2021
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx --sbin-path=/opt/nginx/sbin/nginx --conf-path=/opt/nginx/etc/nginx.conf --with-zlib-asm=CPU --with-pcre --with-http_realip_module --with-http_ssl_module --with-http_gzip_static_module --with-http_sub_module --with-file-aio --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_v2_module --with-compat --add-dynamic-module=../ModSecurity-nginx --add-dynamic-module=../ngx_http_geoip2_module
"