diff --git a/access.lua b/access.lua
index b174076..87f1a68 100644
--- a/access.lua
+++ b/access.lua
@@ -28,6 +28,13 @@ local rex = require "rex_pcre"
 -- Just a note for the client to know that he passed through the SSO
 ngx.header["X-SSO-WAT"] = "You've just been SSOed"
 
+-- Quick fix for CVE-2019-11043 about php-fpm and nginx
+local loweruri = string.lower(ngx.var.uri)
+ngx.header["X-SSO-DEBUG"] = loweruri
+if string.match(loweruri, "\n") or string.match(loweruri, "\r") then
+    return ngx.exit(ngx.HTTP_FORBIDDEN)
+end
+
 
 --
 -- 1. LOGIN