- Newest
- Most votes
- Most comments
Hello HieuVu,
Well, the order your seeing is a interpret format of the request for log view (ie., For Reading purpose and Filtering purpose in CW or Athena).
Thus, at any point of time WAF only sees Key:Value (Ie., User-Agent:Mozilla/5.0...) header components NOT the order of the HTTP components.
https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-fields.html
Regards, CK
Hello HieuVu,
AWS WAF now supports Header Order match statement for request inspection
AWS WAF separates the header names in the string using colons and no added spaces, for example
host:user-agent:accept:authorization:referer
In your use case, you can configure WAF rule like this:
host:user-agent with PositionalConstraint STARTS_WITH
Here is example WAF rule JSON
{
"Name": "testheaderorder",
"Priority": 0,
"Action": {
"Count": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "testheaderorder"
},
"Statement": {
"ByteMatchStatement": {
"FieldToMatch": {
"HeaderOrder": {
"OversizeHandling": "CONTINUE"
}
},
"PositionalConstraint": "STARTS_WITH",
"SearchString": "host:user-agent",
"TextTransformations": [
{
"Type": "NONE",
"Priority": 0
}
]
}
}
}
To find more information regrading HeaderOrder , see:
HeaderOrder
https://docs.aws.amazon.com/waf/latest/APIReference/API_HeaderOrder.html
AWS Web Application Firewall (WAF): Header Order Match Statement | Amazon Web Services
Relevant content
- Accepted Answer
- Accepted Answerasked 2 years ago
- Accepted Answerasked 8 months ago
AWS OFFICIALUpdated 8 months ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Hi Chethan,
I understand that it is an interpret format, my questions is, if it is possible to determine the order that headers are in the headers, so either see what the second header is or determining what order did user-agent get sent in.