AWS waf medium security documentation change
Summary
Added clarification about header matching behavior with space trimming
Security assessment
The change documents improved security control by specifying that header matching now trims leading/trailing spaces. This prevents evasion techniques where attackers add spaces to bypass WAF rules, directly addressing a potential security weakness in header inspection.
Diff
diff --git a/waf/latest/developerguide/waf-rule-statement-fields-list.md b/waf/latest/developerguide/waf-rule-statement-fields-list.md index 30bf5ff7d..c47e3d86c 100644 --- a//waf/latest/developerguide/waf-rule-statement-fields-list.md +++ b//waf/latest/developerguide/waf-rule-statement-fields-list.md @@ -73 +73 @@ Inspects a single named header in the request. -For this option, you specify the header name, for example, `User-Agent` or `Referer`. The string match for the name is not case sensitive. +For this option, you specify the header name, for example, `User-Agent` or `Referer`. The string match for the name is not case sensitive and is performed after trimming leading and trailing spaces from both the request header and the rule. @@ -87 +87 @@ The match patterns setting can be one of the following: - * **Excluded headers** – Inspect only the headers whose keys don't match any of the strings that you specify here. The string match for a key is not case sensitive. + * **Excluded headers** – Inspect only the headers whose keys don't match any of the strings that you specify here. The string match for a key is not case sensitive. The matching is performed after trimming the leading and trailing spaces from request header and the match rule. @@ -89 +89 @@ The match patterns setting can be one of the following: - * **Included headers** – Inspect only the headers that have a key that matches one of the strings that you specify here. The string match for a key is not case sensitive. + * **Included headers** – Inspect only the headers that have a key that matches one of the strings that you specify here. The string match for a key is not case sensitive. The matching is performed after trimming the leading and trailing spaces from request header and the match rule.