Ensure that ALB drops HTTP headers

Error: ALB does not drop HTTP headers

Bridgecrew Policy ID: BC_AWS_NETWORKING_41
Checkov Check ID: CKV_AWS_131
Severity: MEDIUM

ALB does not drop HTTP headers

Description

Ensure that Drop Invalid Header Fields feature is enabled for your Amazon Application Load Balancers (ALBs) in order to follow security best practices and meet compliance requirements. If Drop Invalid Header Fields security feature is enabled, HTTP headers with header fields that are not valid are removed by the Application Load Balancer instead of being routed to the associated targets.

Fix - Buildtime

Terraform

  • Resource: aws_alb
  • Argument: drop_invalid_header_fields
resource "aws_alb" "test_success" {
                    name               = "test-lb-tf"
                    internal           = false
                    load_balancer_type = "network"
                    subnets            = aws_subnet.public.*.id
 +                  drop_invalid_header_fields = true
                }