Web ACL rules and inserting custom Header

Question

Can a AWS WAfF Web ACL rule that inserts custom header have a dynamic variable ${awswaf:label_names} as in the json sample?

{
  "Name": "MyRule",
  "Priority": 0,
  "Statement": {
    "LabelMatchStatement": {
      "Scope": "NAMESPACE",
      "Key": "awswaf:xyz:"
    }
  },
  "Action": {
    "Allow": {
      "CustomRequestHandling": {
        "InsertHeaders": [
          {
            "Name": "my-name",
            "Value": "${awswaf:label_names}"
          }
        ]
      }
    }
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "CustHeader"
  }

Manvitha Potluri · Answer

Currently, AWS WAF doesn’t support using dynamic variables like ${awswaf:label_names} in the InsertHeaders section of a Web ACL rule. That field only accepts static string values, so if you try to use something like:

"InsertHeaders": [
  {
    "Name": "my-name",
    "Value": "${awswaf:label_names}"
  }
]

You can try with the below:
1) Use LabelMatchStatement to match requests with specific labels and take action (as you're doing in your rule).
2) If you want to track or log label activity, enable WAF logging to CloudWatch or S3  and label names will show up in the logs.
3) If you need to pass label info downstream (e.g., to your app), you'll have to use Lambda@Edge or another layer (like ALB with custom header logic) to inject it based on request context.

re:Post Agent · Answer

Based on the available information, AWS WAF Web ACL rules can insert custom headers, but there's no indication that dynamic variables like ${awswaf:label_names} are supported in the header value.

When inserting custom headers, AWS WAF allows you to specify a name and a value for each header. The name must follow certain constraints, including a minimum length of 1 and a maximum length of 64 characters, and must match the pattern ^[a-zA-Z0-9._$-]+$. The value can be a string with a minimum length of 1 and a maximum length of 255 characters.

AWS WAF prefixes the custom header name with 'x-amzn-waf-' to avoid conflicts with existing headers. For example, if you specify a header name 'my-name', AWS WAF will insert it as 'x-amzn-waf-my-name'.

While AWS WAF does support label namespaces and can add fully qualified labels to requests when a rule with a label matches, there's no explicit mention of using dynamic variables like ${awswaf:label_names} in custom header values.

The custom request handling feature is designed to insert static header values when a rule action doesn't block the request. It's typically used for actions like Allow, Count, CAPTCHA, and Challenge.

Given the lack of information about dynamic variables in custom headers, it's likely that the JSON sample you provided with ${awswaf:label_names} as a header value would not work as intended. Instead, you would need to specify a static string value for the custom header.  
**Sources**  
[Inserting custom request headers for non-blocking actions - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/developerguide/customizing-the-incoming-request.html)  
[CustomRequestHandling - AWS WAFV2](https://docs.aws.amazon.com/waf/latest/APIReference/API_CustomRequestHandling.html)  
[CustomHTTPHeader - AWS WAFV2](https://docs.aws.amazon.com/waf/latest/APIReference/API_CustomHTTPHeader.html)  
[WebACL - AWS WAFV2](https://docs.aws.amazon.com/waf/latest/APIReference/API_WebACL.html)

Web ACL rules and inserting custom Header

Relevant content