HIGH
Source
Trivy
ID
AVD-AWS-0052

Load balancers should drop invalid headers

Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

Impact

Invalid headers being passed through to the target of the load balance may exploit vulnerabilities

Follow the appropriate remediation steps below to resolve the issue.

Set drop_invalid_header_fields to true

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
resource "aws_alb" "good_example" {
  name               = "good_alb"
  internal           = false
  load_balancer_type = "application"
  
  access_logs {
    bucket  = aws_s3_bucket.lb_logs.bucket
    prefix  = "test-lb"
    enabled = true
  }
  
  drop_invalid_header_fields = true
}