- Le plus récent
- Le plus de votes
- La plupart des commentaires
The scenario you've described indeed exposes the internal ALB name in the 'Location' header when a 301 redirect is issued. While not a critical vulnerability, it provides unnecessary information that could potentially be used in sophisticated attacks.
This seems to be the default behavior of ALB when handling redirects. To mitigate this, you have a few options:
ALB Listener Rule: Add a Listener Rule on your ALB to handle the HTTP to HTTPS redirection, instead of having your backend do it. This way, the ALB name should not be exposed in the location header.
Lambda@Edge: Use Lambda@Edge on CloudFront to modify the headers to strip out any sensitive information.
Nginx Proxy: If you're using an Nginx server, you can use it as a proxy and modify the 'Location' header to avoid exposing the internal hostname.
Contenus pertinents
- demandé il y a 2 mois
- demandé il y a un an
- demandé il y a 7 mois
- demandé il y a 2 mois
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a un an