Findings

AWS ALB not configured to drop invalid HTTP headers

Updated: June 19, 2025

findings cloud based findings api finding

Description

The Application Load Balancer (ALB) is not set up to drop invalid HTTP headers.

Remediation

Configure the Application Load Balancer to drop invalid HTTP headers.

Security Frameworks

NIST 800-53.r5

NIST-SC-7(4): Boundary Protection | External Telecommunications Services

(a) Implement a managed interface for each external telecommunication service;
(b) Establish a traffic flow policy for each managed interface;
(c) Protect the confidentiality and integrity of the information being transmitted across each interface;
(d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;
(e) Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need;
(f) Prevent unauthorized exchange of control plane traffic with external networks;
(g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and
(h) Filter unauthorized control plane traffic from external networks.

NIST-SC-8(2): Transmission Confidentiality and Integrity | Pre- and Post-transmission Handling

Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception.

Need help?

Contact FireTail support

Previous (Findings - Cloud based findings)
AWS ALB logging is not enabled
Next (Findings - Cloud based findings)
AWS ALB should redirect HTTP to HTTPS