AWS elasticloadbalancing medium security documentation change
Summary
Updated header modification documentation with emphasis on mTLS/TLS headers, added response headers section, removed CLI examples, and clarified security header behaviors
Security assessment
The changes emphasize security-related headers (HSTS, CORS, CSP) and mTLS/TLS header configuration. The documentation now explicitly states these headers help control application security, and the removal of specific TLS cipher details could indicate security hardening. However, there's no explicit mention of addressing a specific vulnerability.
Diff
diff --git a/elasticloadbalancing/latest/application/header-modification.md b/elasticloadbalancing/latest/application/header-modification.md index 23dd5d5c6..c42b96022 100644 --- a//elasticloadbalancing/latest/application/header-modification.md +++ b//elasticloadbalancing/latest/application/header-modification.md @@ -5 +5 @@ -Rename headersInsert headersDisable headers +Rename mTLS/TLS headersAdd response headersDisable headers @@ -9 +9 @@ Rename headersInsert headersDisable headers -HTTP header modification is supported by Application Load Balancers, for both request and response headers. Without having to update your application code, header modification allows you more control over your applications traffic and security. +HTTP header modification is supported by Application Load Balancers, for both request and response headers. Without having to update your application code, header modification allows you more control over your application's traffic and security. @@ -11 +11 @@ HTTP header modification is supported by Application Load Balancers, for both re -## Rename headers +To enable header modification, see [Enable header modification](./enable-header-modification.html). @@ -13 +13,3 @@ HTTP header modification is supported by Application Load Balancers, for both re -The header rename capability allows you to rename all Transport Layer Security (TLS) headers that the Application Load Balancer generates and adds to requests, including six mTLS headers, and two TLS headers, version and cipher. +## Rename mTLS/TLS headers + +The header rename capability allows you to configure the names of the mTLS and TLS headers that the Application Load Balancer generates and adds to requests. @@ -28,6 +30 @@ X-Amzn-TLS-Cipher-Suite | Indicates the combination of cryptographic algorithms -To enable your Application Load Balancer listener to rename request headers, use the following command: - - - aws elbv2 modify-listener-attributes \ - --listener-arn ARN \ - --attributes Key="routing.http.request.actual_header_field_name.header_name",Value="desired_header_field_name" +## Add response headers @@ -35 +32 @@ To enable your Application Load Balancer listener to rename request headers, use -## Insert headers +Using insert headers, you can configure your Application Load Balancer to add security-related headers to responses. With these attributes, you can insert headers including HSTS, CORS, and CSP. @@ -37 +34 @@ To enable your Application Load Balancer listener to rename request headers, use -Using insert headers, you can configure your Application Load Balancer to add security-related headers to responses. With ten new attributes you can insert headers including HSTS, CORS, and CSP. +By default, these headers are empty. When this happens, the Application Load Balancer does not modify this response header. @@ -39 +36 @@ Using insert headers, you can configure your Application Load Balancer to add se -The default value for all of these headers is empty. When this happens the Application Load Balancer does not modify this response header. +When you enable a response header, the Application Load Balancer adds the header with the configured value to all responses. If the response from target includes the HTTP response header, the load balancer updates the header value to be the configured value. Otherwise, the load balancer adds the HTTP response header to the response with the configured value. @@ -54,7 +50,0 @@ X-Frame-Options | Header security mechanism that helps prevent click-jacking at -To configure the Application Load Balancer listener to insert the HSTS header, use the following command: - - - aws elbv2 modify-listener-attributes \ - --listener-arn ARN \ - --attributes Key="routing.http.response.strict_transport_security.header_value",Value="max-age=time_in_sec;includeSubdomains;preload;" - @@ -67,7 +56,0 @@ The attribute name is `routing.http.response.server.enabled`. The available valu -Configure your Application Load Balancer listener to not insert the `server` header using the following command: - - - aws elbv2 modify-listener-attributes \ - --listener-arn ARN \ - --attributes Key="routing.http.response.server.enabled",Value=false - @@ -91,2 +73,0 @@ Configure your Application Load Balancer listener to not insert the `server` hea -For more information, see [Listener attributes](./load-balancer-listeners.html#listener-attributes). -