AWS Security ChangesHomeSearch

AWS elasticloadbalancing documentation change

Service: elasticloadbalancing · 2025-05-10 · Documentation high

File: elasticloadbalancing/latest/application/enable-header-modification.md

Summary

Added detailed documentation for modifying mTLS/TLS headers and implementing security-related HTTP response headers via ALB listener attributes

Security assessment

The changes document security-focused HTTP headers like Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, and X-Frame-Options which are critical for security hardening. While these additions help users implement security best practices, there is no direct evidence of addressing a specific existing vulnerability.

Diff

diff --git a/elasticloadbalancing/latest/application/enable-header-modification.md b/elasticloadbalancing/latest/application/enable-header-modification.md
index a0ebf82f2..1b392c0e2 100644
--- a//elasticloadbalancing/latest/application/enable-header-modification.md
+++ b//elasticloadbalancing/latest/application/enable-header-modification.md
@@ -27 +27 @@ Header modification is turned off by default and must by enabled on each listene
-    2. **Enable** and provide names for all request headers you'd like to modify.
+    2. **Enable** and provide names for all request headers you'd like to modify. For more information, see [Rename mTLS/TLS headers](./header-modification.html#rename-header).
@@ -33 +33 @@ Header modification is turned off by default and must by enabled on each listene
-    2. **Enable** and provide values for all response headers you'd like to add.
+    2. **Enable** and provide values for all response headers you'd like to add. For more information, see [Add response headers](./header-modification.html#insert-header).
@@ -46 +46,96 @@ Header modification is turned off by default and must by enabled on each listene
-Use the [modify-listener-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-listener-attributes.html) command.
+Use the [modify-listener-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-listener-attributes.html) command with the following attributes:
+
+`routing.http.request.x_amzn_mtls_clientcert_serial_number.header_name`
+    
+
+Modify the header name of **X-Amzn-Mtls-Clientcert-Serial-Number**.
+
+`routing.http.request.x_amzn_mtls_clientcert_issuer.header_name`
+    
+
+Modify the header name of **X-Amzn-Mtls-Clientcert-Issuer**.
+
+`routing.http.request.x_amzn_mtls_clientcert_subject.header_name`
+    
+
+Modify the header name of **X-Amzn-Mtls-Clientcert-Subject**.
+
+`routing.http.request.x_amzn_mtls_clientcert_validity.header_name`
+    
+
+Modify the header name of **X-Amzn-Mtls-Clientcert-Validity**.
+
+`routing.http.request.x_amzn_mtls_clientcert_leaf.header_name`
+    
+
+Modify the header name of **X-Amzn-Mtls-Clientcert-Leaf**.
+
+`routing.http.request.x_amzn_mtls_clientcert.header_name`
+    
+
+Modify the header name of **X-Amzn-Mtls-Clientcert**.
+
+`routing.http.request.x_amzn_tls_version.header_name`
+    
+
+Modify the header name of **X-Amzn-Tls-Version**.
+
+`routing.http.request.x_amzn_tls_cipher_suite.header_name`
+    
+
+Modify the header name of **X-Amzn-Tls-Cipher-Suite**.
+
+`routing.http.response.server.enabled`
+    
+
+Indicates whether to allow or remove the HTTP response server header.
+
+`routing.http.response.strict_transport_security.header_value`
+    
+
+Add the **Strict-Transport-Security** header to inform browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.
+
+`routing.http.response.access_control_allow_origin.header_value`
+    
+
+Add the **Access-Control-Allow-Origin** header to specify which origins are allowed to access the server.
+
+`routing.http.response.access_control_allow_methods.header_value`
+    
+
+Add the **Access-Control-Allow-Methods** header to specify which HTTP methods are allowed when accessing the server from a different origin.
+
+`routing.http.response.access_control_allow_headers.header_value`
+    
+
+Add the **Access-Control-Allow-Headers** header to specify which headers are allowed during a cross-origin request.
+
+`routing.http.response.access_control_allow_credentials.header_value`
+    
+
+Add the **Access-Control-Allow-Credentials** header to indicate whether the browser should include credentials such as cookies or authentication in cross-origin requests.
+
+`routing.http.response.access_control_expose_headers.header_value`
+    
+
+Add the **Access-Control-Expose-Headers** header to indicate which headers the browser can expose to the requesting client.
+
+`routing.http.response.access_control_max_age.header_value`
+    
+
+Add the **Access-Control-Max-Age** header to specify how long the results of a preflight request can be cached, in seconds.
+
+`routing.http.response.content_security_policy.header_value`
+    
+
+Add the **Content-Security-Policy** header to specify restrictions enforced by the browser to help minimize the risk of certain types of security threats.
+
+`routing.http.response.x_content_type_options.header_value`
+    
+
+Add the **X-Content-Type-Options** header to indicate whether the MIME types advertised in the **Content-Type** headers should be followed and not be changed.
+
+`routing.http.response.x_frame_options.header_value`
+    
+
+Add the **X-Frame-Options** header to indicate whether the browser is allowed to render a page in a **frame** , **iframe** , **embed** , or **object**.