Skip to main content

ELB load balancers should drop invalid headers

  • GG_ID: GG_IAC_0049
  • Severity: HIGH
  • Complexity: MEDIUM
  • Categories: NETWORK
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: True
  • User interaction required: False
  • Privileges required: False


Elastic Load Balancing automatically distributes incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones.

Load balancers have an option to drop invalid headers which indicates whether HTTP headers with header fields that are not valid are removed by the load balancer or routed to targets. Elastic Load Balancing will require that message header names conform to the regular expression [-A-Za-z0-9]+, which describes all registered internet message headers.


Not dropping invalid headers could lead to attackers exploiting vulnerabilities.

Remediation guidelines#

Enable dropping invalid header fields for load balancers. Note that if unconventional header fields are used, this could drop headers which were not supposed to be dropped.

External documentation#