Best practices

Application load balancer without invalid HTTP header drop


Application Load Balancers (ALB) are used to route HTTP and HTTPS traffic of web applications. HTTP headers contain information about the request and response messages between server and client (sender and receiver). Invalid HTTP headers might be subject to an HTTP desync attack. This attack exploits the way servers process HTTP requests by manipulating how the front-end and back-end interpret the HTTP request in order to smuggle content through the HTTP header. The smuggled content might help the attacker bypass security measures. It was found that the ALB '{AwsEc2Elbv2}' is not configured to drop invalid HTTP headers. It is recommended to remove invalid headers to prevent HTTP desync attacks.
  • Recommended Mitigation

    It is recommended to configure the application load balancer to drop HTTP requests with invalid HTTP header values. To configure the load balancer, follow the instructions at: <a href="" target="_blank" rel="noopener noreferrer"></a>