ERR_INVALID_CHAR when response.setHeader()

[Somebi]

v10.5.0

_http_outgoing.js:465
    throw err;
    ^

TypeError [ERR_INVALID_CHAR]: Invalid character in header content ["set-cookie"]
    at ServerResponse.setHeader (_http_outgoing.js:474:3)
    at ClientRequest.getHttp.request.on.destResp (/app.js:77:8)
    at ClientRequest.emit (events.js:182:13)
    at HTTPParser.parserOnIncomingClient [as onIncoming] (_http_client.js:546:21)
    at HTTPParser.parserOnHeadersComplete (_http_common.js:109:17)
    at TLSSocket.socketOnData (_http_client.js:432:20)
    at TLSSocket.emit (events.js:182:13)
    at addChunk (_stream_readable.js:283:12)
    at readableAddChunk (_stream_readable.js:264:11)
    at TLSSocket.Readable.push (_stream_readable.js:219:10)

[ 'ASP.NET_SessionId=xqf01rjz5pjz3rbbus5xrci5; path=/; HttpOnly',
 'PCTR=638232021456825698; domain=.example.com; expires=Sat, 24-Jun-2023 18:15:45 GMT; path=/',
 'UserPrefsCookie=languageId=2&priceStyle=decimal&linesTypeView=c&device=d&languageGroup=all; domain=.example.com; expires=Tue, 24-Jul-2018 18:15:45 GMT; path=/',
 'psCDN=CDN1; domain=.example.com; expires=Thu, 24-Jun-2021 18:15:45 GMT; path=/',
 'visid_incap_801031=Emf8gIVHQf+3J7VJh12IqdDfL1sAAAAAQUIPAAAAAABCbZpNqDRMI1vWsDMXDa4H; expires=Mon, 24 Jun 2019 07:52:32 GMT; path=/; Domain=.example.com',
 'incap_ses_473_801031=2PKoDGDp4EjiWeL38m+QBtDfL1sAAAAAy8XlOsjePLPdpDeegKlRLg==; path=/; Domain=.example.com',
 '___utmvmtEuYYEz=hCwVZbrIQLz; path=/; Max-Age=900',
 '___utmvatEuYYEz=cXf\u0001GjxA; path=/; Max-Age=900',
 '___utmvbtEuYYEz=RZt    XUTOQalb: stW; path=/; Max-Age=900' ],

Presumably it's \u0001 , is identified an unicode? That's not my server response headers, so it's being served for a long time and others server are accepting it without any issues... So why node.js is not willing to accept that one when i'm trying to proxy request further by setting it via .setHeader() ?

[bnoordhuis]

The \u0001 turns into a control character when encoded to ASCII or UTF-8 and those are rejected as a security measure. That's working as expected.

[TheHanna]

For anyone else that comes across this issue:

The cookies are coming from Imperva's Incapsula product. You can request that they not inject those cookies by reaching out to their support team.

[nkostadinov]

I have an image proxy built with node js that throws this error every couple of minutes and I cannot find a way to handle this error. Does anyone have a solution for this ?

[gajus]

I have documented a solution in this thread.

#22064 (comment)