Ensure that Drop Invalid Header Fields feature is enabled for your Amazon Application Load Balancers (ALBs) in order to follow security best practices and meet compliance requirements. If Drop Invalid Header Fields security feature is enabled, HTTP headers with header fields that are not valid are removed by the Application Load Balancer instead of being routed to the associated targets.
Amazon Web Services (AWS) considers standard headers to only include alphanumeric characters and hyphens. Therefore, Amazon Elastic Load Balancing (ELB) service introduced the Drop Invalid Header Fields feature (i.e. "routing.http.drop_invalid_header_fields.enabled" flag) to improve security by enabling users to control whether an Application Load Balancer will forward non-standard headers sent in requests by clients to load balancer targets.
To determine if Drop Invalid Header Fields feature is enabled for your Amazon Application Load Balancers (ALBs), perform the following actions:
Remediation / Resolution
To enable the Drop Invalid Header Fields security feature for your existing Amazon Application Load Balancers (ALBs), perform the following actions:
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Drop Invalid Header Fields for Application Load Balancers
Risk level: Medium