Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
How can I remove "aswelb/2.0" in the HTTP Response Header?
How can I remove that "awselb/2.0" in the HTTP Response Server Header?
- Newest
- Most votes
- Most comments
Note AWS team this is being reported by Penetration Testing firms as an information disclosure vulnerability. Request that action is taken to address..
Please use Amazon CloudFront's Response Headers Policies. See my response to a similar question on re:Post, How to prevent "awselb/2.0" server information exposure in HTTP response header.
Please note that AWS WAF is inspecting the incoming HTTP traffic (requests, not responses).
Unfortunately, there is no option to remove the header at this time. If you deploy 3rd Party Solution like F5 WAF, you can cloak server information.
What is the possibility of using AWS WAF to hide the server information sent in the HTTP response? If yes, is there a resource showcasing how it can be performed?
It's not customizable at the moment. A workaround would be to front the ALB with CloudFront and use edge functions to override the Server header with none, as briefly illustrated here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html#lambda-examples-overriding-response-header
What is the possibility of using AWS WAF to hide the server information sent in the HTTP response? If yes, is there a resource showcasing how it can be performed?
Relevant content
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated a year ago
Same on our side. AWS team please prioritize it.
What is the possible vulnerability and its exploitations if AWS manages the elb and keeps it up-to-date with latest patches. Is there any resource to know the successful/unsuccessful attacks due to this?