Header Manipulation vulnerabilities occur when:
1. Data enters a web application through an untrusted source, most frequently an HTTP request.
Such as data enters at getParameter().
2. The data is included in an HTTP response header sent to a web user without being validated.
Such as data is sent at addHeader().

As with many software security vulnerabilities, Header Manipulation is a means to an end, not an end in itself. At its root, the vulnerability is straightforward: an attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header.

To fix it: validate its format before adding it to response header.