Ensure Invalid Headers Are Dropped In ALB
Ensure that AWS Application Load Balancers (ALB) are configured to drop HTTP headers. otherwise, it will be invalid. In the case of a false value for routing.http.drop_invalid_header_fields.enabled
, the rule is NON_COMPLIANT.
Risk Level: medium
Cloud Entity: AWS
Spectral Rule ID: TFAWS005
REMEDIATION
set drop_invalid_header_fields
to true
resource "aws_alb" "example" {
load_balancer_type = "application"
- drop_invalid_header_fields = false
+ drop_invalid_header_fields = true
}
References:
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
- https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_LoadBalancerAttribute.html
- https://docs.aws.amazon.com/config/latest/developerguide/alb-http-drop-invalid-header-enabled.html
Application Load Balancer
An Application Load Balancer functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model. After the load balancer receives a request, it evaluates the listener rules in priority order to determine which rule to apply, and then selects a target from the target group for the rule action. You can configure listener rules to route requests to different target groups based on the content of the application traffic. Routing is performed independently for each target group, even when a target is registered with multiple target groups.
Updated over 1 year ago