Best practices

Application load balancer without invalid HTTP header drop

Compliance Frameworks
  • AWS Foundational Security Best Practices Controls
  • ,
  • ,
  • iso_27001_2022
  • ,
  • iso_27002_2022
  • ,
  • New Zealand Information Security Manual
  • ,
  • NIST 800-53


Application Load Balancers (ALB) are used to route HTTP and HTTPS traffic of web applications. HTTP headers contain information about the request and response messages between server and client (sender and receiver). Invalid HTTP headers might be subject to an HTTP desync attack. This attack exploits the way servers process HTTP requests by manipulating how the front-end and back-end interpret the HTTP request in order to smuggle content through the HTTP header. The smuggled content might help the attacker bypass security measures. It was found that the ALB '{AwsEc2Elbv2}' is not configured to drop invalid HTTP headers. It is recommended to remove invalid headers to prevent HTTP desync attacks.