ELB application load balancers should drop invalid HTTP headers
Invalid HTTP headers are the mechanism behind request smuggling and desync attacks, where an attacker crafts ambiguous requests that the load balancer and backend parse differently. When drop_invalid_header_fields is disabled, the ALB forwards those malformed headers to your targets. Depending on how the backend parses them, the result can be cache poisoning, session hijacking, or unauthorized access to other users' requests.
This setting costs nothing to enable and doesn't require application code changes. It cuts off an entire class of HTTP desync vectors at the edge.
Retrofit consideration
Enabling this on existing ALBs can break clients or integrations that send non-standard headers. Pull access logs and check for unexpected 400s before enforcing in production.
Implementation
Choose the approach that matches how you manage Terraform.
Use the compliance.tf module to enforce this control by default. See get started with compliance.tf.
module "alb" {
source = "soc2.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "hipaa.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "gdpr.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "nist800171.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "nydfs23.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "rbicybersecurity.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "rbiitfnbfc.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "fedramplow.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "hipaasecurity2003.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "nistcsfv11.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "nist80053rev4.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "pcidssv321.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
If you use terraform-aws-modules/alb/aws, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.
module "alb" {
source = "terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
drop_invalid_header_fields = true
}
Use AWS provider resources directly. See docs for the resources involved: aws_lb.
resource "aws_lb" "this" {
access_logs {
bucket = "pofix-logs-abc123"
}
internal = true
name = "pofix-abc123"
subnets = ["subnet-abc123", "subnet-def456"]
drop_invalid_header_fields = true
}
What this control checks
The policy checks aws_lb (and aws_alb) resources with load_balancer_type = "application" for drop_invalid_header_fields = true. Omitting the argument or setting it to false fails the control. The attribute sits directly on the aws_lb block with no sub-resources or nested blocks required, and it applies at the load balancer level across all listeners and target groups attached to that ALB.
Common pitfalls
Header-name validation can impact non-standard clients
Not all non-standard headers are malicious. Some legacy clients, custom HTTP libraries, and third-party integrations send header names that don't fully conform to RFC 7230, and the ALB silently drops those requests once this is enabled. Pull ALB access logs and look for unexpected 400s before flipping the switch in production.
Default value is false
The
drop_invalid_header_fieldsargument defaults tofalse, so omitting it is a silent failure. If you're using a shared Terraform module to create ALBs, check whether the module exposes this argument. Many don't, and you'll need to either update the module or pass the attribute as an override.Only applies to Application Load Balancers
The attribute only exists on ALBs (
load_balancer_type = "application"). Set it on a Network Load Balancer and Terraform won't error, but it has no effect. If your compliance checks don't filter byload_balancer_type, you'll get false positives flagging NLB and Gateway LB resources.Confused with desync mitigation mode
These are independent attributes that both address HTTP desync, but they control different things.
desync_mitigation_mode(monitor, defensive, strictest) handles ambiguous request boundaries.drop_invalid_header_fieldshandles malformed header names. Enabling one does not configure the other.
Audit evidence
Auditors want AWS Config results for alb-http-drop-invalid-header-enabled showing all in-scope ALBs as compliant. If Config is not in use, aws elbv2 describe-load-balancer-attributes --load-balancer-arn <arn> showing routing.http.drop_invalid_header_fields.enabled = true for every application load balancer works as direct evidence.
Security Hub findings or CSPM dashboards showing continuous evaluation across accounts and regions fill out the evidence package. ALB access logs with dropped requests containing malformed headers are useful corroboration but rarely required on their own.
Framework-specific interpretation
SOC 2: CC6.6 calls for controls that restrict network exposure and protect system boundaries. For services fronted by an ALB, dropping malformed headers at the load balancer is exactly the kind of boundary control CC6.6 points to. Examiners will want evidence this is enabled across all internet-facing ALBs.
HIPAA Omnibus Rule 2013: 45 CFR 164.312(e)(1) requires technical security measures that protect ePHI in transit from unauthorized access. Protocol-level attacks via malformed HTTP headers can bypass application-layer controls before your code ever sees the request. This setting addresses that at the load balancer, upstream of the application tier.
GDPR: Article 32 doesn't enumerate specific controls, but it requires appropriate technical measures against unauthorized access. Request smuggling via malformed headers is a documented vector for bypassing authorization logic, which makes this a relevant technical safeguard for any ALB handling personal data.
Related controls
ELB application and network load balancer listeners should use secure protocols
ELB application load balancer deletion protection should be enabled
Tool mappings
Use these identifiers to cross-reference this control across tools, reports, and evidence.
Compliance.tf Control:
elb_application_lb_http_drop_invalid_header_enabledAWS Config Managed Rule:
ALB_HTTP_DROP_INVALID_HEADER_ENABLEDCheckov Check:
CKV_AWS_131Powerpipe Controls:
aws_compliance.control.elb_application_lb_drop_http_headers,aws_compliance.control.elb_application_lb_http_drop_invalid_header_enabledProwler Check:
elbv2_desync_mitigation_modeAWS Security Hub Control:
ELB.4KICS Query:
6e3fd2ed-5c83-4c68-9679-7700d224d379Trivy Check:
AWS-0052
Last reviewed: 2026-03-09