The HTTP headers of a request or response can contain sensitive information, which can be intercepted or manipulated by attackers. Therefore, it is important to configure Application Load Balancers (ALBs) to drop specific HTTP headers that are unnecessary or sensitive, such as server version, X-Powered-By, or cookies. This ensures that the ALB is not forwarding any sensitive information to the backend servers, reducing the attack surface for potential threats.
To ensure that Application Load Balancers (ALB) are configured to drop HTTP headers, follow the below remediation steps:
- Open the Amazon EC2 Console and then select "Load Balancers" from the navigation pane.
- Click on the name of the ALB that you want to configure.
- In the left navigation pane, choose "Listeners".
- Select the protocol and port for the listener you want to modify.
- In the "Actions" column, choose "Edit".
- Expand the "HTTP headers" section.
- Choose the header that you want to drop and then click on the "-" button next to it.
- Click "Save" to apply the changes to the listener.
Repeat these steps for any other listeners that are configured on the ALB. By dropping unnecessary HTTP headers, you can reduce the attack surface of your ALB and improve its security posture.
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.
