grpc
diff --git a/‎xds/src/main/java/io/grpc/xds/internal/XdsHeaderValidator.java‎
Lines changed: 0 additions & 40 deletions b/‎xds/src/main/java/io/grpc/xds/internal/XdsHeaderValidator.java‎
Lines changed: 0 additions & 40 deletions
diff --git a/‎xds/src/main/java/io/grpc/xds/internal/grpcservice/GrpcServiceConfigParser.java‎
Lines changed: 7 additions & 9 deletions b/‎xds/src/main/java/io/grpc/xds/internal/grpcservice/GrpcServiceConfigParser.java‎
Lines changed: 7 additions & 9 deletions
diff --git a/‎xds/src/main/java/io/grpc/xds/internal/grpcservice/HeaderValueValidationUtils.java‎
Lines changed: 67 additions & 0 deletions b/‎xds/src/main/java/io/grpc/xds/internal/grpcservice/HeaderValueValidationUtils.java‎
Lines changed: 67 additions & 0 deletions
diff --git a/‎xds/src/test/java/io/grpc/xds/internal/XdsHeaderValidatorTest.java‎
Lines changed: 0 additions & 64 deletions b/‎xds/src/test/java/io/grpc/xds/internal/XdsHeaderValidatorTest.java‎
Lines changed: 0 additions & 64 deletions
diff --git a/‎xds/src/test/java/io/grpc/xds/internal/grpcservice/HeaderValueValidationUtilsTest.java‎
Lines changed: 87 additions & 0 deletions b/‎xds/src/test/java/io/grpc/xds/internal/grpcservice/HeaderValueValidationUtilsTest.java‎
Lines changed: 87 additions & 0 deletions
@@ -33,7 +33,6 @@
 import io.grpc.alts.GoogleDefaultChannelCredentials;
 import io.grpc.auth.MoreCallCredentials;
 import io.grpc.xds.XdsChannelCredentials;
-import io.grpc.xds.internal.XdsHeaderValidator;
 import java.time.Duration;
 import java.util.ArrayList;
 import java.util.Date;
@@ -88,17 +87,16 @@ public static GrpcServiceConfig parse(GrpcService grpcServiceProto,
     for (io.envoyproxy.envoy.config.core.v3.HeaderValue header : grpcServiceProto
         .getInitialMetadataList()) {
       String key = header.getKey();
+      HeaderValue headerValue;
       if (key.endsWith(Metadata.BINARY_HEADER_SUFFIX)) {
-        if (!XdsHeaderValidator.isValid(key, header.getRawValue().size())) {
-          throw new GrpcServiceParseException("Invalid initial metadata header: " + key);
-        }
-        initialMetadata.add(HeaderValue.create(key, header.getRawValue()));
+        headerValue = HeaderValue.create(key, header.getRawValue());
       } else {
-        if (!XdsHeaderValidator.isValid(key, header.getValue().length())) {
-          throw new GrpcServiceParseException("Invalid initial metadata header: " + key);
-        }
-        initialMetadata.add(HeaderValue.create(key, header.getValue()));
+        headerValue = HeaderValue.create(key, header.getValue());
+      }
+      if (HeaderValueValidationUtils.shouldIgnore(headerValue)) {
+        throw new GrpcServiceParseException("Invalid initial metadata header: " + key);
       }
+      initialMetadata.add(headerValue);
     }
     builder.initialMetadata(initialMetadata.build());
 
 
@@ -0,0 +1,67 @@
+/*
+ * Copyright 2025 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.xds.internal.grpcservice;
+
+import java.util.Locale;
+
+/**
+ * Utility class for validating HTTP headers.
+ */
+public final class HeaderValueValidationUtils {
+  public static final int MAX_HEADER_LENGTH = 16384;
+
+  private HeaderValueValidationUtils() {}
+
+  /**
+   * Returns true if the header key should be ignored for mutations or validation.
+   *
+   * @param key The header key (e.g., "content-type")
+   */
+  public static boolean shouldIgnore(String key) {
+    if (key.isEmpty() || key.length() > MAX_HEADER_LENGTH) {
+      return true;
+    }
+    if (!key.equals(key.toLowerCase(Locale.ROOT))) {
+      return true;
+    }
+    if (key.startsWith("grpc-")) {
+      return true;
+    }
+    if (key.startsWith(":") || key.equals("host")) {
+      return true;
+    }
+    return false;
+  }
+
+  /**
+   * Returns true if the header value should be ignored.
+   *
+   * @param header The HeaderValue containing key and values
+   */
+  public static boolean shouldIgnore(HeaderValue header) {
+    if (shouldIgnore(header.key())) {
+      return true;
+    }
+    if (header.value().isPresent() && header.value().get().length() > MAX_HEADER_LENGTH) {
+      return true;
+    }
+    if (header.rawValue().isPresent() && header.rawValue().get().size() > MAX_HEADER_LENGTH) {
+      return true;
+    }
+    return false;
+  }
+}
@@ -0,0 +1,87 @@
+/*
+ * Copyright 2026 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.xds.internal.grpcservice;
+
+import static com.google.common.truth.Truth.assertThat;
+
+import com.google.protobuf.ByteString;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.JUnit4;
+
+/**
+ * Unit tests for {@link HeaderValueValidationUtils}.
+ */
+@RunWith(JUnit4.class)
+public class HeaderValueValidationUtilsTest {
+
+  @Test
+  public void shouldIgnore_string_emptyKey() {
+    assertThat(HeaderValueValidationUtils.shouldIgnore("")).isTrue();
+  }
+
+  @Test
+  public void shouldIgnore_string_tooLongKey() {
+    String longKey = new String(new char[16385]).replace('\0', 'a');
+    assertThat(HeaderValueValidationUtils.shouldIgnore(longKey)).isTrue();
+  }
+
+  @Test
+  public void shouldIgnore_string_notLowercase() {
+    assertThat(HeaderValueValidationUtils.shouldIgnore("Content-Type")).isTrue();
+  }
+
+  @Test
+  public void shouldIgnore_string_grpcPrefix() {
+    assertThat(HeaderValueValidationUtils.shouldIgnore("grpc-timeout")).isTrue();
+  }
+
+  @Test
+  public void shouldIgnore_string_systemHeader_colon() {
+    assertThat(HeaderValueValidationUtils.shouldIgnore(":authority")).isTrue();
+  }
+
+  @Test
+  public void shouldIgnore_string_systemHeader_host() {
+    assertThat(HeaderValueValidationUtils.shouldIgnore("host")).isTrue();
+  }
+
+  @Test
+  public void shouldIgnore_string_valid() {
+    assertThat(HeaderValueValidationUtils.shouldIgnore("content-type")).isFalse();
+  }
+
+  @Test
+  public void shouldIgnore_headerValue_tooLongValue() {
+    String longValue = new String(new char[16385]).replace('\0', 'v');
+    HeaderValue header = HeaderValue.create("content-type", longValue);
+    assertThat(HeaderValueValidationUtils.shouldIgnore(header)).isTrue();
+  }
+
+  @Test
+  public void shouldIgnore_headerValue_tooLongRawValue() {
+    ByteString longRawValue = ByteString.copyFrom(new byte[16385]);
+    HeaderValue header = HeaderValue.create("content-type", longRawValue);
+    assertThat(HeaderValueValidationUtils.shouldIgnore(header)).isTrue();
+  }
+
+  @Test
+  public void shouldIgnore_headerValue_valid() {
+    HeaderValue header = HeaderValue.create("content-type", "application/grpc");
+    assertThat(HeaderValueValidationUtils.shouldIgnore(header)).isFalse();
+  }
+}