Application Load Balancer Is Not Configured To Drop HTTP Headers

Overview

This check examines AWS Application Load Balancers to verify their configuration for discarding invalid HTTP headers. The control does not pass if the setting of routing.http.drop_invalid_header_fields.enabled is set to false.

By default, Application Load Balancers do not discard invalid HTTP header values. Eliminating these header values is crucial in thwarting potential HTTP desync attacks.

Vendor

AWS

Cloud Service

ELBv2

References

https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-4

Severity

Item Types

AWS::ElasticLoadBalancingV2::LoadBalancer

Overview​

Vendor​

Cloud Service​

References​

Severity​

Item Types​