Findings

AWS ALB not configured to drop invalid HTTP headers

Updated: June 19, 2025

findings cloud based findings api finding

Description

Severity: Info

The Application Load Balancer (ALB) is not configured to drop invalid HTTP headers.

Invalid or malformed HTTP headers can be exploited by attackers to bypass security controls, manipulate traffic, or inject malicious payloads. Allowing such headers increases the risk of HTTP smuggling attacks, header injection, and potential backend system vulnerabilities.
When invalid HTTP headers are accepted, it creates opportunities for attackers to exploit ambiguities in header parsing, potentially leading to unauthorized access, data breaches, and service disruptions. Additionally, the lack of header validation can compromise the integrity and security of backend services.

Example Attack

An attacker sends a specially crafted HTTP request with malformed headers to the ALB. The request exploits discrepancies in how the ALB and backend services parse headers, leading to an HTTP smuggling attack. By chaining this exploit, the attacker gains unauthorized access to backend systems or injects malicious payloads into valid requests.

After enabling the Drop Invalid Header Fields setting, the ALB discards any request with malformed headers, effectively neutralizing this attack vector.

Remediation

Enable the setting on the Application Load Balancer to automatically drop invalid HTTP headers. This ensures that only well-formed and compliant headers are processed, reducing the risk of attack vectors leveraging malformed headers.

Security Frameworks

NIST 800-53.r5

NIST-SC-7(4): Boundary Protection | External Telecommunications Services

(a) Implement a managed interface for each external telecommunication service;
(b) Establish a traffic flow policy for each managed interface;
(c) Protect the confidentiality and integrity of the information being transmitted across each interface;
(d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;
(e) Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need;
(f) Prevent unauthorized exchange of control plane traffic with external networks;
(g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and
(h) Filter unauthorized control plane traffic from external networks.

NIST-SC-8(2): Transmission Confidentiality and Integrity | Pre- and Post-transmission Handling

Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception.

Need help?

Contact FireTail support

Previous (Findings - Cloud based findings)
AWS ALB logging is not enabled
Next (Findings - Cloud based findings)
AWS ALB should redirect HTTP to HTTPS