--- a/src/lib-http/http-client-request.c	Mon Feb 13 09:09:28 2017 +0200
+++ b/src/lib-http/http-client-request.c	Fri Feb 10 15:27:13 2017 +0200
@@ -301,6 +301,9 @@
 		 /* allow calling for retries */
 		 req->state == HTTP_REQUEST_STATE_GOT_RESPONSE ||
 		 req->state == HTTP_REQUEST_STATE_ABORTED);
+	/* make sure key or value can't break HTTP headers entirely */
+	i_assert(strpbrk(key, ":\r\n") == NULL);
+	i_assert(strpbrk(value, "\r\n") == NULL);
 
 	/* mark presence of special headers */
 	switch (key[0]) {