AWS Security ChangesHomeSearch

AWS waf medium security documentation change

Service: waf · 2026-02-25 · Security-related medium

File: waf/latest/developerguide/waf-rule-statement-fields-list.md

Summary

Added clarification about header matching behavior with space trimming

Security assessment

The change documents improved security control by specifying that header matching now trims leading/trailing spaces. This prevents evasion techniques where attackers add spaces to bypass WAF rules, directly addressing a potential security weakness in header inspection.

Diff

diff --git a/waf/latest/developerguide/waf-rule-statement-fields-list.md b/waf/latest/developerguide/waf-rule-statement-fields-list.md
index 30bf5ff7d..c47e3d86c 100644
--- a//waf/latest/developerguide/waf-rule-statement-fields-list.md
+++ b//waf/latest/developerguide/waf-rule-statement-fields-list.md
@@ -73 +73 @@ Inspects a single named header in the request.
-For this option, you specify the header name, for example, `User-Agent` or `Referer`. The string match for the name is not case sensitive.
+For this option, you specify the header name, for example, `User-Agent` or `Referer`. The string match for the name is not case sensitive and is performed after trimming leading and trailing spaces from both the request header and the rule.
@@ -87 +87 @@ The match patterns setting can be one of the following:
-    * **Excluded headers** – Inspect only the headers whose keys don't match any of the strings that you specify here. The string match for a key is not case sensitive. 
+    * **Excluded headers** – Inspect only the headers whose keys don't match any of the strings that you specify here. The string match for a key is not case sensitive. The matching is performed after trimming the leading and trailing spaces from request header and the match rule.
@@ -89 +89 @@ The match patterns setting can be one of the following:
-    * **Included headers** – Inspect only the headers that have a key that matches one of the strings that you specify here. The string match for a key is not case sensitive. 
+    * **Included headers** – Inspect only the headers that have a key that matches one of the strings that you specify here. The string match for a key is not case sensitive. The matching is performed after trimming the leading and trailing spaces from request header and the match rule.