Load balancers should drop invalid headers

Explanation

Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

Possible Impact

Invalid headers being passed through to the target of the load balance may exploit vulnerabilities

Suggested Resolution

Set drop_invalid_header_fields to true

Insecure Example

The following example will fail the aws-elb-drop-invalid-headers check.

resource "aws_alb" "bad_example" {
	name               = "bad_alb"
	internal           = false
	load_balancer_type = "application"
	
	access_logs {
	  bucket  = aws_s3_bucket.lb_logs.bucket
	  prefix  = "test-lb"
	  enabled = true
	}
  
	drop_invalid_header_fields = false
  }

Secure Example

The following example will pass the aws-elb-drop-invalid-headers check.

resource "aws_alb" "good_example" {
	name               = "good_alb"
	internal           = false
	load_balancer_type = "application"
	
	access_logs {
	  bucket  = aws_s3_bucket.lb_logs.bucket
	  prefix  = "test-lb"
	  enabled = true
	}
  
	drop_invalid_header_fields = true
  }

Getting Started
Provider Checks
Config
GitHub Actions