ELBs Should Drop Invalid HTTP Header

More Info:

Invalid HTTP Headers in ELB should be dropped.

Risk Level

Medium

Address

Security

Compliance Standards

HIPAA, GDPR, NIST

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the “ELBs Should Drop Invalid HTTP Header” misconfiguration for AWS using AWS CLI, you can follow these steps:

Open the AWS CLI and run the following command to list all the load balancers in your AWS account:
```
aws elbv2 describe-load-balancers
```
Identify the ARN (Amazon Resource Name) of the load balancer that you want to remediate.
Run the following command to update the load balancer attributes and drop invalid HTTP headers:
```
aws elbv2 modify-load-balancer-attributes --load-balancer-arn <load_balancer_arn> --attributes Key=http2.dropped_headers,Value=HTTP_X_FORWARDED_FOR
```
Note: Replace <load_balancer_arn> with the ARN of the load balancer identified in step 2.
Verify that the invalid HTTP headers are dropped by running the following command:
```
aws elbv2 describe-load-balancer-attributes --load-balancer-arn <load_balancer_arn>
```
Note: Replace <load_balancer_arn> with the ARN of the load balancer identified in step 2. This command will return the load balancer attributes, including the dropped HTTP headers.

By following these steps, you should be able to remediate the “ELBs Should Drop Invalid HTTP Header” misconfiguration for AWS using AWS CLI.

Using Python

To remediate the misconfiguration “ELBs Should Drop Invalid HTTP Header” for AWS using python, follow these steps:

Import the boto3 library to interact with AWS services using python.
```
import boto3
```
Create a boto3 client for the Elastic Load Balancing service.
```
elb_client = boto3.client('elbv2')
```

Get a list of all the load balancers in your AWS account.

response = elb_client.describe_load_balancers()
load_balancers = response['LoadBalancers']

For each load balancer, check if the “http.headers” attribute is set to “drop.invalid.header.fields”. If it is not, update the attribute to “drop.invalid.header.fields”.

for lb in load_balancers:
    lb_arn = lb['LoadBalancerArn']
    lb_attributes = elb_client.describe_load_balancer_attributes(LoadBalancerArn=lb_arn)
    lb_http_headers = lb_attributes['Attributes'][0]
    if lb_http_headers['Key'] == 'http.headers':
        if lb_http_headers['Value'] != 'drop.invalid.header.fields':
            elb_client.modify_load_balancer_attributes(
                LoadBalancerArn=lb_arn,
                Attributes=[
                    {
                        'Key': 'http.headers',
                        'Value': 'drop.invalid.header.fields'
                    }
                ]
            )

Once the “http.headers” attribute is updated for all the load balancers, the misconfiguration “ELBs Should Drop Invalid HTTP Header” will be remediated.
```
print("Misconfiguration remediated successfully!")
```

Note: Make sure you have the necessary permissions to modify the attributes of the load balancers in your AWS account.

Additional Reading:

https://docs.aws.amazon.com/elasticloadbalancing/

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

ELBs Should Drop Invalid HTTP Header

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: