For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-alb-not-dropping-invalid-headers.md. A documentation index is available at /llms.txt.

ALB not dropping invalid headers

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-aws-alb-not-dropping-invalid-headers

Provider: AWS

Platform: Terraform

Severity: Medium

Category: Best Practices

Learn More

Description

It is recommended to set the drop_invalid_header_fields attribute to true in AWS Application Load Balancer (aws_alb) resources. If this attribute is omitted or set to false, as in the examples below, the load balancer will accept and forward malformed or non-standard HTTP header fields to the backend, potentially exposing your application to header-based attacks or unexpected backend behavior:

resource "aws_alb" "disabled_1" {
  ...
}

resource "aws_alb" "disabled_2" {
  ...
  drop_invalid_header_fields = false
}

Enabling drop_invalid_header_fields = true helps mitigate these risks by ensuring only properly formatted HTTP headers are processed.

Compliant Code Examples

resource "aws_alb" "enabled" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = module.vpc.public_subnets

  drop_invalid_header_fields = true
}

resource "aws_lb" "enabled" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = module.vpc.public_subnets

  drop_invalid_header_fields = true
}

resource "aws_alb" "enabled" {
  internal           = false
  name               = "alb"
  subnets            = module.vpc.public_subnets

  drop_invalid_header_fields = true
}

resource "aws_lb" "enabled" {
  internal           = false
  name               = "alb"
  subnets            = module.vpc.public_subnets

  drop_invalid_header_fields = true
}

Non-Compliant Code Examples

resource "aws_alb" "disabled_1" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = module.vpc.public_subnets
}

resource "aws_alb" "disabled_2" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = module.vpc.public_subnets

  drop_invalid_header_fields = false
}

resource "aws_lb" "disabled_1" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = module.vpc.public_subnets
}

resource "aws_lb" "disabled_2" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = module.vpc.public_subnets

  drop_invalid_header_fields = false
}

resource "aws_alb" "disabled_1" {
  internal           = false
  name               = "alb"
  subnets            = module.vpc.public_subnets
}

resource "aws_lb" "disabled_2" {
  internal           = false
  name               = "alb"
  subnets            = module.vpc.public_subnets

  drop_invalid_header_fields = false
}