Drop Invalid Header Fields for Application Load Balancers

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that Drop Invalid Header Fields feature is enabled for your Amazon Application Load Balancers (ALBs) in order to follow security best practices and meet compliance requirements. If Drop Invalid Header Fields security feature is enabled, HTTP headers with header fields that are not valid are removed by the Application Load Balancer instead of being routed to the associated targets.

Security

Amazon Web Services (AWS) considers standard headers to only include alphanumeric characters and hyphens. Therefore, Amazon Elastic Load Balancing (ELB) service introduced the Drop Invalid Header Fields feature (i.e. "routing.http.drop_invalid_header_fields.enabled" flag) to improve security by enabling users to control whether an Application Load Balancer will forward non-standard headers sent in requests by clients to load balancer targets.


Audit

To determine if Drop Invalid Header Fields feature is enabled for your Amazon Application Load Balancers (ALBs), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Select the Application Load Balancer that you want to examine. An Application Load Balancer (ALB) has the Type attribute value set to application in the Type column.

05 Select the Description tab to access the configuration information available for the selected load balancer.

06 In the Attributes section, verify the Drop Invalid Header Fields configuration attribute value. If the Drop Invalid Header Fields attribute value is set to Disabled, the Drop Invalid Header Fields feature is not enabled for the selected Amazon Application Load Balancer (ALB).

07 Repeat steps no. 4 – 6 for each Application Load Balancer created within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) using custom query filters to list the Amazon Resource Names (ARNs) of all the Application Load Balancers (ALBs) available in the selected AWS region:

aws elbv2 describe-load-balancers
	--region us-east-1
	--query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn'

02 The command output should return an array with the requested ALB ARN(s):

[
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-production-alb/abcdabcdabcdabcd",
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-webapp-endpoint-alb/abcd1234abcd1234"
]

03 Run describe-load-balancer-attributes command (OSX/Linux/UNIX) using the ARN of the Amazon Application Load Balancer that you want to examine as identifier parameter and custom query filters, to describe the Drop Invalid Header Fields feature status, available for the selected load balancer:

aws elbv2 describe-load-balancer-attributes
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-production-alb/abcdabcdabcdabcd
	--query 'Attributes[?(Key == `routing.http.drop_invalid_header_fields.enabled`)].Value | []'

04 The command output should return the requested configuration status (true for enabled, false for disabled):

[
    "false"
]

If the describe-load-balancer-attributes command output returns false, the Drop Invalid Header Fields feature is not enabled for the selected Amazon Application Load Balancer (ALB).

05 Repeat step no. 3 and 4 for each Application Load Balancer deployed in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To enable the Drop Invalid Header Fields security feature for your existing Amazon Application Load Balancers (ALBs), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING, choose Load Balancers.

04 Select the Application Load Balancer that you want to reconfigure (see Audit section part I to identify the right load balancer).

05 Select the Description tab and click on the Edit attributes button available in the Attributes section.

06 Within Edit load balancer attributes configuration box, select the Drop Invalid Header Fields configuration checkbox to enable the Drop Invalid Header Fields security feature for the selected Application Load Balancer. Click Save to apply the configuration changes.

07 Repeat steps no. 4 – 6 to enable the feature for other Application Load Balancers (ALBs) available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run modify-load-balancer-attributes command (OSX/Linux/UNIX) using the ARN of the Amazon Application Load Balancer (ALB) that you want to reconfigure as identifier parameter (see Audit section part II to identify the right ALB resource), to enable the Drop Invalid Header Fields security feature for the selected load balancer:

aws elbv2 modify-load-balancer-attributes
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-production-alb/abcdabcdabcdabcd
	--attributes Key=routing.http.drop_invalid_header_fields.enabled,Value=true

02 The command output should return the configuration attributes for the modified Application Load Balancer:

{
    "Attributes": [
        {
            "Value": "true",
            "Key": "routing.http.drop_invalid_header_fields.enabled"
        },
        {
            "Value": "false",
            "Key": "access_logs.s3.enabled"
        },
        {
            "Value": "",
            "Key": "access_logs.s3.bucket"
        },
        {
            "Value": "",
            "Key": "access_logs.s3.prefix"
        },
        {
            "Value": "30",
            "Key": "idle_timeout.timeout_seconds"
        },
        {
            "Value": "true",
            "Key": "deletion_protection.enabled"
        },
        {
            "Value": "true",
            "Key": "routing.http2.enabled"
        },
        {
            "Value": "strictest",
            "Key": "routing.http.desync_mitigation_mode"
        }
    ]
}

03 Repeat step no. 1 and 2 to enable the security feature for other Application Load Balancers (ALBs) deployed in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the remediation process for other regions.

References

Publication date Aug 1, 2021

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Drop Invalid Header Fields for Application Load Balancers

Risk level: Medium