How to use AWS WAF to prevent "awselb/2.0" server information exposure in HTTP response header?

0

vulnerability snapshot We identified this vulnerability in our VAPT reports. unfortunately, AWS doesn't provide any option to remove the header. It's not customisable at the moment and has been the case since years.

While AWS CloudFront and other 3rd party WAF can be utilised for is a possible remediation methodology. We seek to understand how we can use our existing AWS WAF to remediate this vulnerability.

It is not feasible to buy AWS Cloudfront or change our WAF solution for a low severity vulnerability like this.

3 Answers
3

Please consider using CloudFront's native feature Response Headers Policy to remove the header. Yes, you can manipulate headers with edge compute too (CloudFront Functions, Lambda@Edge), but native features, such as Response Header Policies should be preferred whenever possible, as they are free of charge and generally faster to execute.

Removing headers is not possible on "pure ALB" today - a reverse proxy, like Amazon CloudFront, is very often used for such modifications to the HTTP requests and responses.

By putting CloudFront in front of your Load Balancer, you'll gain access to new capabilities of the AWS CDN (content delivery network), such as policies. It is easy to set up for dynamic content (just disable caching using a managed CachingDisabled cache policy), and it has further cost and performance benefits:

  • reduce cost of data delivery, because of the Always Free 1TB of data per month, lower Data Transfer Out cost per GB, comparing to regional resources like ALBs, and further options, like CloudFront Savings Bundle,
  • lower latency between your users (viewers) and the AWS network - take advantage of AWS edge network infrastructure deployed in over 100 countries worldwide. Please see how Slack improved their API response time by 300ms and reduced API latency from 90ms to 15ms,
  • persist connections to your application - even if requests are purely dynamic, requests forwarded over persistent connections from CloudFront's edge locations do not need to establish new TCP/TLS connections to the application (ALB). It removes the latency of multiple round trips, maintains scaled TCP windows, and reduces required ALB capacity and cost, because of a lower number of new and active connections,
  • serve content over modern internet protocols such as HTTP/3 or TLS1.3, even if your application doesn’t support it.

How to remove HTTP header with Amazon CloudFront

AWS
Piotrek
answered a month ago
  • While CloudFront is one option. We want to understand the ability of AWS in this case as we are utilise AWS WAF.

0
Accepted Answer

Has someone used WAF Block actions to restrict the elb version showcased in header response. Check: https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html

With Block actions, one can define a complete custom response, with response code, headers, and body.

The protected resource responds to the request using the custom response provided by AWS WAF. Your custom response replaces the default Block action response of 403 (Forbidden). It will allow you to fully customize your http header as you header will replace original one.

answered a month ago
0

Currently, ALB does not support modifying or removing this header. Please note that this header does not disclose the version of the software used by the ALB, but the version of Elastic Load Balancer that generated it, an ALB will always return ‘awselb/2.0’.

As a workaround, you may consider using CloudFront and Lambda@Edge to modify the response headers from ALB.

When CloudFront receives an HTTP response from the origin server (which would be ALB in your case), if there is an origin-response trigger associated with the cache behavior, you can modify the HTTP response to override what was returned from the origin. For more information around the same and how to implement this, please refer following documentation links for more details: [1][2][3]

[1] https://docs.aws.amazon.com/lambda/latest/dg/lambda-edge.html

[2] https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html

[3] https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-updating-http-responses.html

profile pictureAWS
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
  • Has someone used WAF Block actions to restrict the elb version showcased in header response. Check: https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html

    With Block actions, one can define a complete custom response, with response code, headers, and body.

    The protected resource responds to the request using the custom response provided by AWS WAF. Your custom response replaces the default Block action response of 403 (Forbidden). It will allow you to fully customize your http header as you header will replace original one.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions