Skip to content

ALB does not drop HTTP headers

Description

Ensure that Drop Invalid Header Fields feature is enabled for your Amazon Application Load Balancers (ALBs) in order to follow security best practices and meet compliance requirements. If Drop Invalid Header Fields security feature is enabled, HTTP headers with header fields that are not valid are removed by the Application Load Balancer instead of being routed to the associated targets.

Fix - Buildtime

Terraform

  • Resource: aws_alb
  • Argument: drop_invalid_header_fields
resource "aws_alb" "test_success" {
                    name               = "test-lb-tf"
                    internal           = false
                    load_balancer_type = "network"
                    subnets            = aws_subnet.public.*.id
 +                  drop_invalid_header_fields = true
                }