diff --git a/codec-http/src/main/java/io/netty/handler/codec/http/DefaultHttpHeaders.java b/codec-http/src/main/java/io/netty/handler/codec/http/DefaultHttpHeaders.java
index ef24c75583..675d513d40 100644
--- a/codec-http/src/main/java/io/netty/handler/codec/http/DefaultHttpHeaders.java
+++ b/codec-http/src/main/java/io/netty/handler/codec/http/DefaultHttpHeaders.java
@@ -78,6 +78,18 @@ public class DefaultHttpHeaders extends HttpHeaders {
this(true);
}
+ /**
+ * Warning! Setting validate to false will mean that Netty won't
+ * validate & protect against user-supplied header values that are malicious.
+ * This can leave your server implementation vulnerable to
+ *
+ * CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
+ * .
+ * When disabling this validation, it is the responsibility of the caller to ensure that the values supplied
+ * do not contain a non-url-escaped carriage return (CR) and/or line feed (LF) characters.
+ *
+ * @param validate Should Netty validate Header values to ensure they aren't malicious.
+ */
public DefaultHttpHeaders(boolean validate) {
this(validate, nameValidator(validate));
}