AWS elasticloadbalancing documentation change
Summary
Added detailed documentation for modifying mTLS/TLS headers and implementing security-related HTTP response headers via ALB listener attributes
Security assessment
The changes document security-focused HTTP headers like Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, and X-Frame-Options which are critical for security hardening. While these additions help users implement security best practices, there is no direct evidence of addressing a specific existing vulnerability.
Diff
diff --git a/elasticloadbalancing/latest/application/enable-header-modification.md b/elasticloadbalancing/latest/application/enable-header-modification.md index a0ebf82f2..1b392c0e2 100644 --- a//elasticloadbalancing/latest/application/enable-header-modification.md +++ b//elasticloadbalancing/latest/application/enable-header-modification.md @@ -27 +27 @@ Header modification is turned off by default and must by enabled on each listene - 2. **Enable** and provide names for all request headers you'd like to modify. + 2. **Enable** and provide names for all request headers you'd like to modify. For more information, see [Rename mTLS/TLS headers](./header-modification.html#rename-header). @@ -33 +33 @@ Header modification is turned off by default and must by enabled on each listene - 2. **Enable** and provide values for all response headers you'd like to add. + 2. **Enable** and provide values for all response headers you'd like to add. For more information, see [Add response headers](./header-modification.html#insert-header). @@ -46 +46,96 @@ Header modification is turned off by default and must by enabled on each listene -Use the [modify-listener-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-listener-attributes.html) command. +Use the [modify-listener-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-listener-attributes.html) command with the following attributes: + +`routing.http.request.x_amzn_mtls_clientcert_serial_number.header_name` + + +Modify the header name of **X-Amzn-Mtls-Clientcert-Serial-Number**. + +`routing.http.request.x_amzn_mtls_clientcert_issuer.header_name` + + +Modify the header name of **X-Amzn-Mtls-Clientcert-Issuer**. + +`routing.http.request.x_amzn_mtls_clientcert_subject.header_name` + + +Modify the header name of **X-Amzn-Mtls-Clientcert-Subject**. + +`routing.http.request.x_amzn_mtls_clientcert_validity.header_name` + + +Modify the header name of **X-Amzn-Mtls-Clientcert-Validity**. + +`routing.http.request.x_amzn_mtls_clientcert_leaf.header_name` + + +Modify the header name of **X-Amzn-Mtls-Clientcert-Leaf**. + +`routing.http.request.x_amzn_mtls_clientcert.header_name` + + +Modify the header name of **X-Amzn-Mtls-Clientcert**. + +`routing.http.request.x_amzn_tls_version.header_name` + + +Modify the header name of **X-Amzn-Tls-Version**. + +`routing.http.request.x_amzn_tls_cipher_suite.header_name` + + +Modify the header name of **X-Amzn-Tls-Cipher-Suite**. + +`routing.http.response.server.enabled` + + +Indicates whether to allow or remove the HTTP response server header. + +`routing.http.response.strict_transport_security.header_value` + + +Add the **Strict-Transport-Security** header to inform browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS. + +`routing.http.response.access_control_allow_origin.header_value` + + +Add the **Access-Control-Allow-Origin** header to specify which origins are allowed to access the server. + +`routing.http.response.access_control_allow_methods.header_value` + + +Add the **Access-Control-Allow-Methods** header to specify which HTTP methods are allowed when accessing the server from a different origin. + +`routing.http.response.access_control_allow_headers.header_value` + + +Add the **Access-Control-Allow-Headers** header to specify which headers are allowed during a cross-origin request. + +`routing.http.response.access_control_allow_credentials.header_value` + + +Add the **Access-Control-Allow-Credentials** header to indicate whether the browser should include credentials such as cookies or authentication in cross-origin requests. + +`routing.http.response.access_control_expose_headers.header_value` + + +Add the **Access-Control-Expose-Headers** header to indicate which headers the browser can expose to the requesting client. + +`routing.http.response.access_control_max_age.header_value` + + +Add the **Access-Control-Max-Age** header to specify how long the results of a preflight request can be cached, in seconds. + +`routing.http.response.content_security_policy.header_value` + + +Add the **Content-Security-Policy** header to specify restrictions enforced by the browser to help minimize the risk of certain types of security threats. + +`routing.http.response.x_content_type_options.header_value` + + +Add the **X-Content-Type-Options** header to indicate whether the MIME types advertised in the **Content-Type** headers should be followed and not be changed. + +`routing.http.response.x_frame_options.header_value` + + +Add the **X-Frame-Options** header to indicate whether the browser is allowed to render a page in a **frame** , **iframe** , **embed** , or **object**.