Skip to content

Load balancers should drop invalid headers

Default Severity: high

Explanation

Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

Possible Impact

Invalid headers being passed through to the target of the load balance may exploit vulnerabilities

Suggested Resolution

Set drop_invalid_header_fields to true

Insecure Example

The following example will fail the aws-elb-drop-invalid-headers check.

 resource "aws_alb" "bad_example" {
    name               = "bad_alb"
    internal           = false
    load_balancer_type = "application"

    access_logs {
      bucket  = aws_s3_bucket.lb_logs.bucket
      prefix  = "test-lb"
      enabled = true
    }

    drop_invalid_header_fields = false
   }

Secure Example

The following example will pass the aws-elb-drop-invalid-headers check.

 resource "aws_alb" "good_example" {
    name               = "good_alb"
    internal           = false
    load_balancer_type = "application"

    access_logs {
      bucket  = aws_s3_bucket.lb_logs.bucket
      prefix  = "test-lb"
      enabled = true
    }

    drop_invalid_header_fields = true
   }