unjs · pi0 · Mar 25, 2026 · Mar 25, 2026
diff --git a/src/middleware/web-outgoing.ts b/src/middleware/web-outgoing.ts
@@ -90,7 +90,7 @@ export const writeHeaders = defineProxyOutgoingMiddleware((req, res, proxyRes, o
   const preserveHeaderKeyCase = options.preserveHeaderKeyCase;
   let rawHeaderKeyMap: Record<string, string> | undefined;
   const setHeader = function (key: string, header: string | string[] | undefined) {
-    if (header === undefined) {
+    if (header === undefined || !String(key).trim()) {
       return;
     }
     if (rewriteCookieDomainConfig && key.toLowerCase() === "set-cookie") {

diff --git a/test/middleware/web-outgoing.test.ts b/test/middleware/web-outgoing.test.ts
@@ -651,7 +651,7 @@
      const res = {
        setHeader(k: string, v: string | string[]) {
          // Simulate Node.js ERR_INVALID_CHAR for control characters
          if (typeof v === "string" && /[\u0000-\u001F]/.test(v)) {
            throw new TypeError(`Invalid character in header content ["${k}"]`);
          }
          headers[k.toLowerCase()] = v;
@@ -668,6 +668,37 @@
       expect(headers).to.not.have.key("invalid-header");
     });
 
+    it("skips empty header names (upstream#1551)", () => {
+      const proxyRes = {
+        headers: {
+          "": "empty-key-value",
+          "  ": "whitespace-key-value",
+          hey: "hello",
+        },
+      };
+      const headers: Record<string, any> = {};
+      const res = {
+        setHeader(k: string, v: string | string[]) {
+          // Simulate Node.js ERR_INVALID_HTTP_TOKEN for empty/invalid header names
+          if (!k || !/^[\w!#$%&'*+\-.^`|~]+$/.test(k)) {
+            throw new TypeError(`Header name must be a valid HTTP token ["${k}"]`);
+          }
+          headers[k.toLowerCase()] = v;
+        },
+      };
+      webOutgoing.writeHeaders(
+        stubIncomingMessage(),
+        res as any,
+        proxyRes as any,
+        stubMiddlewareOptions(),
+      );
+      // Valid headers should still be set
+      expect(headers.hey).to.eql("hello");
+      // Empty/whitespace-only header names should be skipped
+      expect(headers).to.not.have.key("");
+      expect(headers).to.not.have.key("  ");
+    });
+
     it("skips undefined header values", () => {
       const proxyRes = {
         headers: {