Load balancers should drop invalid headers
Default Severity: high
Explanation
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.
Possible Impact
Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
Suggested Resolution
Set drop_invalid_header_fields to true
Insecure Example
The following example will fail the aws-elb-drop-invalid-headers check.
resource "aws_alb" "bad_example" {
name = "bad_alb"
internal = false
load_balancer_type = "application"
access_logs {
bucket = aws_s3_bucket.lb_logs.bucket
prefix = "test-lb"
enabled = true
}
drop_invalid_header_fields = false
}
Secure Example
The following example will pass the aws-elb-drop-invalid-headers check.
resource "aws_alb" "good_example" {
name = "good_alb"
internal = false
load_balancer_type = "application"
access_logs {
bucket = aws_s3_bucket.lb_logs.bucket
prefix = "test-lb"
enabled = true
}
drop_invalid_header_fields = true
}