Reject messages with multiple single-value headers

[spaceone]

Some HTTP headers might occurr only once in a HTTP message (e.g. Content-Length, Location, Host, Content-Disposition, etc.).
Messages which contain these headers multiple times should be rejected for security reasons.

Content-Length injection leads to response splitting
Location leads to redirect hijacking.

[spaceone]

http-core issue 193