terraform.aws.best-practice.missing-alb-drop-http-headers.missing-alb-drop-http-headers
semgrep
Author
unknown
Download Count*
License
Detected a AWS load balancer that is not configured to drop invalid HTTP headers. Add drop_invalid_header_fields = true
in your resource block.
Run Locally
Run in CI
Defintion
rules:
- id: missing-alb-drop-http-headers
severity: WARNING
languages:
- hcl
message: Detected a AWS load balancer that is not configured to drop invalid
HTTP headers. Add `drop_invalid_header_fields = true` in your resource
block.
metadata:
category: best-practice
technology:
- aws
- terraform
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
patterns:
- pattern-either:
- pattern: |
resource "aws_lb" $ENABLED {
...
}
- pattern: |
resource "aws_alb" $ENABLED {
...
}
- pattern-not-inside: |
resource $ANYTHING $ENABLED {
...
drop_invalid_header_fields = true
...
}
Examples
missing-alb-drop-http-headers.tf
# Copyright 2019 Bridgecrew
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ok: missing-alb-drop-http-headers
resource "aws_lb" "enabled" {
internal = false
load_balancer_type = "application"
name = "alb"
subnets = var.public_subnet_ids
drop_invalid_header_fields = true
}
# ok: missing-alb-drop-http-headers
resource "aws_alb" "enabled" {
internal = false
load_balancer_type = "application"
name = "alb"
subnets = var.public_subnet_ids
drop_invalid_header_fields = true
}
# ruleid: missing-alb-drop-http-headers
resource "aws_lb" "default" {
internal = false
load_balancer_type = "application"
name = "alb"
subnets = var.public_subnet_ids
}
# ruleid: missing-alb-drop-http-headers
resource "aws_alb" "default" {
internal = false
load_balancer_type = "application"
name = "alb"
subnets = var.public_subnet_ids
}
# ruleid: missing-alb-drop-http-headers
resource "aws_lb" "disabled" {
internal = false
load_balancer_type = "application"
name = "alb"
subnets = var.public_subnet_ids
drop_invalid_header_fields = false
}
# ruleid: missing-alb-drop-http-headers
resource "aws_alb" "disabled" {
internal = false
load_balancer_type = "application"
name = "alb"
subnets = var.public_subnet_ids
drop_invalid_header_fields = false
}
Short Link: https://sg.run/4eW5