Skip to main content

πŸ›‘οΈ AWS ELB Application Load Balancer is not configured to drop invalid HTTP headers🟒

  • Contextual name: πŸ›‘οΈ Application Load Balancer is not configured to drop invalid HTTP headers🟒
  • ID: /ce/ca/aws/elb/load-balancer-drop-invalid-headers
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: RELIABILITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS ELB Application Load Balancers that are not configured to drop invalid HTTP header fields. By default, the routing.http.drop_invalid_header_fields.enabled attribute is set to false, which allows the load balancer to forward HTTP headers that do not conform to protocol specifications to target groups.

Note: The routing.http.drop_invalid_header_fields.enabled attribute was introduced to provide baseline protection against HTTP desync by dropping malformed HTTP headers. The routing.http.desync_mitigation_mode attribute (AWS ELB Load Balancer is not configured with defensive or strictest desync mitigation mode) was later added to offer more comprehensive and configurable protection against HTTP desync attacks. You are not required to enable both attributes; instead, you should select the option that best aligns with your application’s security and compatibility requirements.

Rationale​

Enabling this feature helps protect backend applications from HTTP Request Smuggling and HTTP Desynchronization attacks. These attack techniques exploit malformed or ambiguous HTTP headers to bypass security controls, poison web caches, or hijack user sessions. By dropping invalid headers at the load balancer level, only well-formed and standards-compliant requests are allowed to reach backend services, reducing the overall attack surface.

... see more

Remediation​

Open File

Remediation​

Enable Drop Invalid Header Fields Attribute​

Configure the Application Load Balancer to drop HTTP header fields that do not conform to protocol specifications. This ensures that only well-formed requests are forwarded to backend target groups.

From Command Line​

Run the following AWS CLI command, replacing the placeholder with the ARN of the Application Load Balancer:

aws elbv2 modify-load-balancer-attributes \
    --load-balancer-arn {{load-balancer-arn}} \
    --attributes Key=routing.http.drop_invalid_header_fields.enabled,Value=true

After the command completes successfully, the load balancer will reject requests containing invalid HTTP headers.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ELB.4] Application Load Balancer should be configured to drop invalid http headers1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Threat Protection48no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)41no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)41no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(4) Boundary Protection _ External Telecommunications Services41no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-8(2) Transmission Confidentiality and Integrity _ Pre- and Post-transmission Handling14no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.2 Buffer overflows.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.3 Insecure cryptographic storage.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.4 Insecure communications.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.5 Improper error handling.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.6 All β€œhigh risk” vulnerabilities identified in the vulnerability identification process.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.7 Cross-site scripting (XSS).5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.8 Improper access control.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.9 Cross-site request forgery (CSRF).5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.10 Broken authentication and session management.5no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 6.2.4 Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software.5no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 6.2.4 Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software.5no data