Ensure Invalid Headers Are Dropped In ALB

Ensure that AWS Application Load Balancers (ALB) are configured to drop HTTP headers. otherwise, it will be invalid. In the case of a false value for routing.http.drop_invalid_header_fields.enabled, the rule is NON_COMPLIANT.

Risk Level: medium
Cloud Entity: AWS
Spectral Rule ID: TFAWS005

REMEDIATION

set drop_invalid_header_fields to true

resource "aws_alb" "example" {
	load_balancer_type         = "application"
	- drop_invalid_header_fields = false
	+ drop_invalid_header_fields = true
}

References:

Application Load Balancer

An Application Load Balancer functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model. After the load balancer receives a request, it evaluates the listener rules in priority order to determine which rule to apply, and then selects a target from the target group for the rule action. You can configure listener rules to route requests to different target groups based on the content of the application traffic. Routing is performed independently for each target group, even when a target is registered with multiple target groups.