# Avoid breaking test clients that just want to supply normalized

# ASGI names, regardless of the fact that ASGIRequest drops headers

# with underscores (CVE-2026-3902).

(key.lower().replace("_", "-").encode("ascii"), value.encode("latin1"))

CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation

====================================================================

``ASGIRequest`` normalizes header names following WSGI conventions, mapping

hyphens to underscores. As a result, even in configurations where reverse

proxies carefully strip security-sensitive headers named with hyphens, such a

header could be spoofed by supplying a header named with underscores.

Under WSGI, it is the responsibility of the server or proxy to avoid ambiguous

mappings. (Django's :djadmin:`runserver` was patched in :cve:`2015-0219`.) But

under ASGI, there is not the same uniform expectation, even if many proxies

protect against this under default configuration (including ``nginx`` via

``underscores_in_headers off;``).

Headers containing underscores are now ignored by ``ASGIRequest``, matching the

behavior of :pypi:`Daphne <daphne>`, the reference server for ASGI.

This issue has severity "low" according to the :ref:`Django security policy

<security-disclosure>`.

CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation

====================================================================

``ASGIRequest`` normalizes header names following WSGI conventions, mapping

hyphens to underscores. As a result, even in configurations where reverse

proxies carefully strip security-sensitive headers named with hyphens, such a

header could be spoofed by supplying a header named with underscores.

Under WSGI, it is the responsibility of the server or proxy to avoid ambiguous

mappings. (Django's :djadmin:`runserver` was patched in :cve:`2015-0219`.) But

under ASGI, there is not the same uniform expectation, even if many proxies

protect against this under default configuration (including ``nginx`` via

``underscores_in_headers off;``).

Headers containing underscores are now ignored by ``ASGIRequest``, matching the

behavior of :pypi:`Daphne <daphne>`, the reference server for ASGI.

This issue has severity "low" according to the :ref:`Django security policy

<security-disclosure>`.

CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation

====================================================================

``ASGIRequest`` normalizes header names following WSGI conventions, mapping

hyphens to underscores. As a result, even in configurations where reverse

proxies carefully strip security-sensitive headers named with hyphens, such a

header could be spoofed by supplying a header named with underscores.

Under WSGI, it is the responsibility of the server or proxy to avoid ambiguous

mappings. (Django's :djadmin:`runserver` was patched in :cve:`2015-0219`.) But

under ASGI, there is not the same uniform expectation, even if many proxies

protect against this under default configuration (including ``nginx`` via

``underscores_in_headers off;``).

Headers containing underscores are now ignored by ``ASGIRequest``, matching the

behavior of :pypi:`Daphne <daphne>`, the reference server for ASGI.

This issue has severity "low" according to the :ref:`Django security policy

<security-disclosure>`.

async def test_underscores_in_headers_ignored(self):

scope = self.async_request_factory._base_scope(path="/", http_version="2.0")

scope["headers"] = [(b"some_header", b"1")]

request = ASGIRequest(scope, None)

# No form of the header exists anywhere.

self.assertNotIn("Some_Header", request.headers)

self.assertNotIn("Some-Header", request.headers)

self.assertNotIn("SOME_HEADER", request.META)

self.assertNotIn("SOME-HEADER", request.META)

self.assertNotIn("HTTP_SOME_HEADER", request.META)