Authorization::value uses HeaderValue::value with the claim that the internal string is ASCII, but Authorization::new and Authorization::set credentials accept arbitrary String credentials without validation. As a result, safe code can construct a header value containing non-ASCII UTF-8 while the implementation assumes ASCII.

WwwAuthenticate::new and WwwAuthenticate::set realm similarly accepts arbitrary String input, so WwwAuthenticate::value can also produce a header value that violates the crate’s documented ASCII invariants.

This issue has not been confirmed as Undefined Behavior, but the unsafe justification in Authorization::value and WwwAuthenticate::value appears incorrect and can produce values outside the expected ASCII-only constraints.

The http-types crate is unmaintained and the issue is unlikely to be fixed.