Currently, libnghttp2 does not validate header field to send, which means that it can send anything which passed from application.
This is a deliberate design choice, since application most likely validates what they send, and doing it in libnghttp2 wastes CPU cycles.
And in the documentation we write the following:

From https://nghttp2.org/documentation/nghttp2_submit_headers.html

The nva is an array of name/value pair nghttp2_nv with nvlen elements. The application is responsible to include required pseudo-header fields (header field whose name starts with ":") in nva and must place pseudo-headers before regular header fields.

From https://nghttp2.org/documentation/nghttp2_submit_request.html

HTTP/2 specification has requirement about header fields in the request HEADERS. See the specification for more details.

So we assume that application does the things right.

Recent discussion in golang/go#16572, we might be too optimistic here.
Should we validate the header fields from application? Should we make it option? What should we do if we find that header field is invalid according to RFC?

As a building block, we have provided 2 functions for quite some time:
nghttp2_check_header_name(), and nghttp2_check_header_value(), which validates name, and value respectively. The former requires lower-cased name. Application can use these functions to enforce the outgoing header fields.