strsafe.h is a non-standard C header file provided with the Windows SDK starting with Windows XP Service Pack 2[1] that provides safer buffer handling than that which is provided by the standard C string functions, which are widely known to have security issues involving buffer overruns when not used correctly.
The functions included in strsafe.h replace standard C string handling and I/O functions including printf
, strlen
, strcpy
and strcat
.[2] The strsafe functions require the length of the string in either characters or bytes as a parameter and if an operation would exceed the length of the destination buffer, the operation fails and the string is still terminated with a null in its final valid index so that using it in other library functions will not result in undefined behavior. Independent security researchers have noted that security issues are still possible with the functions from strsafe.h if they are not passed the correct buffer length.[3] The use of this library is recommended by the United States Department of Homeland Security.[4]