1. Home
  2. Support
Article - CS270061

Troubleshooting "Error occurred while validating HTTP header" Messages in ThingWorx Platform

Modified: 31-Oct-2025   


Applies To

  • ThingWorx Platform 7.0 to 10.0

Description

  • One of the following error messages is logged in either the ThingWorx ApplicationLog or ErrorLog:
Error occurred while validating HTTP header: authorization
Error occurred while validating HTTP header: referer
Error occurred while validating HTTP header: cookie
Error occurred while validating HTTP header: subject
Error occurred while validating HTTP header: remote_user
Error occurred while validating HTTP header: uid
  • How to troubleshoot ESAPI errors
  • Too many errors reported in <tomcat_home>\logs\thingworx-foundation-stdout logs
  • <ThingworxStorage>\logs\ApplicationLog.log shows the following:
[L: ERROR] [O: E.c.t.s.f.ValidatingHttpRequest] [I: ] [U: <User>] [S: ] [T: https-jsse-nio-443-exec-5] Error occurred while validating HTTP header: subject
WARN  IntrusionDetector:65 - [SECURITY FAILURE Anonymous:null@unknown -> /ExampleApplication/IntrusionDetector] Invalid input: context=HTTP header value: <Invalid Header>, type(HTTPHeaderValue)=^[a-zA-Z0-9()\-=\*\.\?;,+\/:&_ % ¡-'"]*$, input=<Invalid Header Value>
org.owasp.esapi.errors.ValidationException: HTTP header value: remote_user: Invalid input. Please conform to regex ^[a-zA-Z0-9()\-=\*\.\?;,+\/:&_ % ¡-'"]*$ with a maximum length of 2000
                at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:144)
                at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:160)
                at org.owasp.esapi.reference.validation.StringValidationRule.getValid(StringValidationRule.java:284)
                at com.thingworx.security.filter.ESAPICustomValidator.getValidInput(ESAPICustomValidator.java:29)
                at com.thingworx.security.filter.ValidatingHttpRequest.getValidInput(ValidatingHttpRequest.java:127)
                at com.thingworx.security.filter.ValidatingHttpRequest.getValidHeaderInput(ValidatingHttpRequest.java:143)
                at com.thingworx.security.filter.ValidatingHttpRequest.getHeader(ValidatingHttpRequest.java:85)
                ...
 
 
This is a printer-friendly version of Article 270061 and may be out of date. For the latest version click CS270061