ALB Not Dropping Invalid Headers

  • Query id: 6e3fd2ed-5c83-4c68-9679-7700d224d379
  • Query name: ALB Not Dropping Invalid Headers
  • Platform: Terraform
  • Severity: Medium
  • Category: Best Practices
  • CWE: Ongoing
  • URL: Github


It's considered a best practice when using Application Load Balancers to drop invalid header fields

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_alb" "disabled_1" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = module.vpc.public_subnets

resource "aws_alb" "disabled_2" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = module.vpc.public_subnets

  drop_invalid_header_fields = false
Positive test num. 2 - tf file
resource "aws_lb" "disabled_1" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = module.vpc.public_subnets

resource "aws_lb" "disabled_2" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = module.vpc.public_subnets

  drop_invalid_header_fields = false
Positive test num. 3 - tf file
resource "aws_alb" "disabled_1" {
  internal           = false
  name               = "alb"
  subnets            = module.vpc.public_subnets

resource "aws_lb" "disabled_2" {
  internal           = false
  name               = "alb"
  subnets            = module.vpc.public_subnets

  drop_invalid_header_fields = false

Positive test num. 4 - tf file
module "alb" {
  source  = "terraform-aws-modules/alb/aws"
  version = "~> 6.0"

  name = "my-alb"

  load_balancer_type = "application"
  drop_invalid_header_fields = false

  vpc_id             = "vpc-abcde012"
  subnets            = ["subnet-abcde012", "subnet-bcde012a"]
  security_groups    = ["sg-edcd9784", "sg-edcd9785"]

  access_logs = {
    bucket = "my-alb-logs"

  target_groups = [
      name_prefix      = "pref-"
      backend_protocol = "HTTP"
      backend_port     = 80
      target_type      = "instance"
      targets = [
          target_id = "i-0123456789abcdefg"
          port = 80
          target_id = "i-a1b2c3d4e5f6g7h8i"
          port = 8080

  https_listeners = [
      port               = 443
      protocol           = "HTTPS"
      certificate_arn    = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
      target_group_index = 0

  http_tcp_listeners = [
      port               = 80
      protocol           = "HTTP"
      target_group_index = 0

  tags = {
    Environment = "Test"
Positive test num. 5 - tf file
module "alb" {
  source  = "terraform-aws-modules/alb/aws"
  version = "~> 6.0"

  name = "my-alb"

  load_balancer_type = "application"

  vpc_id             = "vpc-abcde012"
  subnets            = ["subnet-abcde012", "subnet-bcde012a"]
  security_groups    = ["sg-edcd9784", "sg-edcd9785"]

  access_logs = {
    bucket = "my-alb-logs"

  target_groups = [
      name_prefix      = "pref-"
      backend_protocol = "HTTP"
      backend_port     = 80
      target_type      = "instance"
      targets = [
          target_id = "i-0123456789abcdefg"
          port = 80
          target_id = "i-a1b2c3d4e5f6g7h8i"
          port = 8080

  https_listeners = [
      port               = 443
      protocol           = "HTTPS"
      certificate_arn    = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
      target_group_index = 0

  http_tcp_listeners = [
      port               = 80
      protocol           = "HTTP"
      target_group_index = 0

  tags = {
    Environment = "Test"
Positive test num. 6 - tf file
module "alb" {
  source  = "terraform-aws-modules/alb/aws"
  version = "~> 6.0"

  name = "my-alb"

  vpc_id             = "vpc-abcde012"
  subnets            = ["subnet-abcde012", "subnet-bcde012a"]
  security_groups    = ["sg-edcd9784", "sg-edcd9785"]

  access_logs = {
    bucket = "my-alb-logs"

  target_groups = [
      name_prefix      = "pref-"
      backend_protocol = "HTTP"
      backend_port     = 80
      target_type      = "instance"
      targets = [
          target_id = "i-0123456789abcdefg"
          port = 80
          target_id = "i-a1b2c3d4e5f6g7h8i"
          port = 8080

  https_listeners = [
      port               = 443
      protocol           = "HTTPS"
      certificate_arn    = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
      target_group_index = 0

  http_tcp_listeners = [
      port               = 80
      protocol           = "HTTP"
      target_group_index = 0

  tags = {
    Environment = "Test"

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_alb" "enabled" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = module.vpc.public_subnets

  drop_invalid_header_fields = true
Negative test num. 2 - tf file
resource "aws_lb" "enabled" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = module.vpc.public_subnets

  drop_invalid_header_fields = true
Negative test num. 3 - tf file
resource "aws_alb" "enabled" {
  internal           = false
  name               = "alb"
  subnets            = module.vpc.public_subnets

  drop_invalid_header_fields = true

resource "aws_lb" "enabled" {
  internal           = false
  name               = "alb"
  subnets            = module.vpc.public_subnets

  drop_invalid_header_fields = true

Negative test num. 4 - tf file
module "alb" {
  source  = "terraform-aws-modules/alb/aws"
  version = "~> 6.0"

  name = "my-alb"

  load_balancer_type = "application"
  drop_invalid_header_fields = true

  vpc_id             = "vpc-abcde012"
  subnets            = ["subnet-abcde012", "subnet-bcde012a"]
  security_groups    = ["sg-edcd9784", "sg-edcd9785"]

  access_logs = {
    bucket = "my-alb-logs"

  target_groups = [
      name_prefix      = "pref-"
      backend_protocol = "HTTP"
      backend_port     = 80
      target_type      = "instance"
      targets = [
          target_id = "i-0123456789abcdefg"
          port = 80
          target_id = "i-a1b2c3d4e5f6g7h8i"
          port = 8080

  https_listeners = [
      port               = 443
      protocol           = "HTTPS"
      certificate_arn    = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
      target_group_index = 0

  http_tcp_listeners = [
      port               = 80
      protocol           = "HTTP"
      target_group_index = 0

  tags = {
    Environment = "Test"
Negative test num. 5 - tf file
module "alb" {
  source  = "terraform-aws-modules/alb/aws"
  version = "~> 6.0"

  name = "my-alb"

  drop_invalid_header_fields = true

  vpc_id             = "vpc-abcde012"
  subnets            = ["subnet-abcde012", "subnet-bcde012a"]
  security_groups    = ["sg-edcd9784", "sg-edcd9785"]

  access_logs = {
    bucket = "my-alb-logs"

  target_groups = [
      name_prefix      = "pref-"
      backend_protocol = "HTTP"
      backend_port     = 80
      target_type      = "instance"
      targets = [
          target_id = "i-0123456789abcdefg"
          port = 80
          target_id = "i-a1b2c3d4e5f6g7h8i"
          port = 8080

  https_listeners = [
      port               = 443
      protocol           = "HTTPS"
      certificate_arn    = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
      target_group_index = 0

  http_tcp_listeners = [
      port               = 80
      protocol           = "HTTP"
      target_group_index = 0

  tags = {
    Environment = "Test"