Rule: ELB Application Load Balancers Should Drop HTTP Headers
This rule specifies that ELB application load balancers must drop HTTP headers to ensure security and compliance.
| Rule | ELB application load balancers should be drop HTTP headers |
| Framework | NIST 800-53 Revision 4 |
| Severity | ✔ High |
Rule Description
ELB application load balancers should drop specific HTTP headers for compliance with NIST 800-53 Revision 4. This is done to ensure the security and privacy of sensitive information communicated through HTTP headers.
Troubleshooting Steps
If you encounter any issues while implementing this rule, you can follow these steps to troubleshoot:
- 1.Check if the ELB application load balancer is configured properly.
- 2.Verify if the desired headers are indeed being dropped.
- 3.Ensure that the ELB log files and AWS CloudTrail logs are enabled to track any changes made to the load balancer.
- 4.Review any error or warning messages in the logs or console that might indicate the cause of the issue.
- 5.Confirm that the rule is applied correctly to all relevant load balancers.
Necessary Configuration Codes
There are no specific codes for this rule. The configuration is done through the AWS Management Console or AWS Command Line Interface (CLI).
Step-by-Step Guide
Follow these steps to implement the rule and drop HTTP headers on an ELB application load balancer:
Step 1: Accessing AWS Management Console
- 1.Log in to your AWS Management Console.
- 2.Navigate to the Amazon EC2 Dashboard.
Step 2: Selecting Load Balancers
- 1.From the left-hand menu, click on "Load Balancers" under the "LOAD BALANCING" section.
Step 3: Selecting the Application Load Balancer
- 1.Select the specific Application Load Balancer (ALB) that you want to configure.
Step 4: Configuring Listeners
- 1.Click on the "Listeners" tab in the ALB management interface.
- 2.Identify the listener that requires HTTP header dropping.
- 3.Click on the listener to modify its settings.
Step 5: Modifying Listener Rules
- 1.Locate the "HTTP headers" section in the listener settings.
- 2.Click the "Edit" button next to the existing rules or "Add rule" if no rules are present.
Step 6: Dropping HTTP Headers
- 1.In the "Edit Rule" or "Add Rule" dialog box, configure the following settings:
- Rule Name: Provide a descriptive name for the rule.
- Field: Choose whether to drop headers based on the header name or value.
- Header Name or Value: Enter the name or value of the header to be dropped.
- Action: Select "Drop" from the dropdown menu to remove the specified header.
- Priority: Set the priority of the rule. Lower numbers have higher priority.
- 2.Click the "Add" or "Save" button to apply the rule.
Conclusion
By following the above steps, you can ensure that the ELB application load balancer adheres to the NIST 800-53 Revision 4 requirement of dropping specific HTTP headers. Regularly validate the configuration to maintain compliance and ensure the security of your systems and sensitive data.