Ensure that ALB drops HTTP headers
ID |
alb_drops_http_headers |
Severity |
low |
Vendor |
AWS |
Resource |
ALB |
Tags |
reachable |
Description
Elastic Application Load Balancer (ALB) automatically distributes your incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones.
It monitors the health of its registered targets, and routes traffic only to the healthy targets. Elastic Load Balancing scales your load balancer as your incoming traffic changes over time. It can also automatically scale to the vast majority of workloads.
When enabled, the Drop Invalid Header Fields feature removes HTTP headers with header fields that are not valid instead of being routed to the associated targets.
Examples
CloudFormation
{
"Resources": {
"Alb": { (1)
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Name": "test",
"Type": "application"
}
}
}
}| 1 | Missing LoadBalancerAttributes property means HTTP headers are not being dropped. |
Resources:
Alb: (1)
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: test
Type: "application"| 1 | Missing LoadBalancerAttributes property means HTTP headers are not being dropped. |
Mitigation / Fix
Buildtime
CloudFormation
{
"Resources": {
"Alb": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Name": "test",
"Type": "application"
"LoadBalancerAttributes": [
{
"Key": "routing.http.drop_invalid_header_fields.enabled", (1)
"Value": "true"
}
]
}
}
}
}| 1 | routing.http.drop_invalid_header_fields.enabled set to true means HTTP headers are dropped. |
Resources:
Alb:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: test
Type: "application"
LoadBalancerAttributes:
- Key: routing.http.drop_invalid_header_fields.enabled (1)
Value: "true"| 1 | routing.http.drop_invalid_header_fields.enabled set to true means HTTP headers are dropped. |