aws-lb-allow-invalid-headers¶
Ensure that the load balancer drops invalid HTTP headers
By default, an ALB will allow invalid HTTP headers to be passed through. This essentially only validates simple adherence to RFC7230 (section 3.2) which dictates that a header must contain a colon (:
) to separate the name and the value.
Examples¶
Insecure Example
resource "aws_lb" "test" {
name = "test-lb-tf"
internal = false
load_balancer_type = "application"
security_groups = [aws_security_group.lb_sg.id]
subnets = aws_subnet.public.*.id
enable_deletion_protection = true
access_logs {
bucket = aws_s3_bucket.lb_logs.bucket
prefix = "test-lb"
enabled = true
}
tags = {
Environment = "production"
}
}
{
"Type" : "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties" : {
"Name" : "test-lb-tf",
"Scheme" : "internet-facing",
"SecurityGroups" : [ ... ],
"SubnetMappings" : [ ... ],
"Subnets" : [ ... ],
"Tags" : [
"Key": "Environment",
"Value": "production"
],
"Type" : "application"
}
}
Secure Example
resource "aws_lb" "test" {
name = "test-lb-tf"
internal = false
load_balancer_type = "application"
security_groups = [aws_security_group.lb_sg.id]
subnets = aws_subnet.public.*.id
enable_deletion_protection = true
access_logs {
bucket = aws_s3_bucket.lb_logs.bucket
prefix = "test-lb"
enabled = true
}
tags = {
Environment = "production"
}
drop_invalid_header_fields = true
}
{
"Type" : "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties" : {
"Name" : "test-lb-tf",
"Scheme" : "internet-facing",
"SecurityGroups" : [ ... ],
"SubnetMappings" : [ ... ],
"Subnets" : [ ... ],
"Tags" : [
{
"Key": "Environment",
"Value": "production"
}
],
"Type" : "application"
}
"LoadBalancerAttributes": [
{
"Key" : "routing.http.drop_invalid_header_fields.enabled",
"Value" : "true"
}
]
}