diff --git a/lib/middlewares/csp.js b/lib/middlewares/csp.js
index f5a37c0..dcf29d9 100644
--- a/lib/middlewares/csp.js
+++ b/lib/middlewares/csp.js
@@ -62,7 +62,12 @@ module.exports = options => {
       }
     }
     const headerString = bufArray.join(';');
-    ctx.set(finalHeader, headerString);
-    ctx.set('x-csp-nonce', ctx.nonce);
+
+    if (!utils.checkInvalidHeaderChar(headerString)) {
+      ctx.set(finalHeader, headerString);
+      ctx.set('x-csp-nonce', ctx.nonce);
+    } else {
+      console.warn('Invalid character in header content :', finalHeader);
+    }
   };
 };
diff --git a/lib/utils.js b/lib/utils.js
index 22a6aa3..9892daa 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -165,3 +165,9 @@ function getContains(ip) {
   }
   return IP.cidrSubnet(ip).contains;
 }
+
+const HEADER_CHAR_REGEX = /[^\t\x20-\x7e\x80-\xff]/;
+
+exports.checkInvalidHeaderChar = function(val) {
+  return HEADER_CHAR_REGEX.test(val);
+};
diff --git a/test/utils.test.js b/test/utils.test.js
index cab62d1..48d43d3 100644
--- a/test/utils.test.js
+++ b/test/utils.test.js
@@ -251,4 +251,17 @@ describe('test/utils.test.js', function() {
         });
     });
   });
+
+  describe('utils.checkInvalidHeaderChar', function() {
+    it('Invalid character return true', function() {
+      utils.checkInvalidHeaderChar('aaaaa\naaaaaa').should.equal(true);
+      utils.checkInvalidHeaderChar('aaaa\raaaaa').should.equal(true);
+    });
+
+    it('character return false', function() {
+      utils.checkInvalidHeaderChar('aaaaa').should.equal(false);
+      utils.checkInvalidHeaderChar('aaaa aaaaa').should.equal(false);
+      utils.checkInvalidHeaderChar('aaaaaaaaa').should.equal(false);
+    });
+  });
 });