chanciturnervgt2

Enhancing Security and Performance of Your Web Applications with AWS Application Load Balancer

by

VGT2 Las Vegas
in

Enhancing Security and Performance of Your Web Applications with AWS Application Load BalancerMore Info

Are you looking to enhance the security of your web applications while optimizing their performance to ensure a smooth user experience and protect against cyber threats? Application Load Balancers (ALBs) offer powerful features for modifying request and response headers, enabling you to tailor your application’s behavior in various ways. From strengthening security with essential headers like Content Security Policy and HTTP Strict Transport Security, to improving performance through caching strategies and effective resource delivery, ALBs provide a versatile toolkit for developers and system administrators. Whether your goal is to comply with industry standards, integrate with API gateways, or implement custom application logic, mastering header modification can greatly boost your application’s robustness and efficiency. In this post, we delve into some of these functionalities and reveal how you can leverage ALB header modifications to enhance your web applications on AWS.

Renaming TLS Headers

One of the most frequently requested use cases revolves around header renaming. Some legacy systems expect headers in specific formats; for instance, they might require the header to be “Custom-TLS” instead of “X-Amzn-TLS.” Renaming ALB-generated headers such as X-Amzn-mTLS and X-Amzn-TLS allows users to ensure compatibility with legacy application code. This simplifies the use of all ALB features without introducing complexity or workarounds into their workflows. Additionally, this enables seamless integration with existing applications, providing the flexibility to adapt ALB features to specific organizational needs without altering application code or backend services. For example:

aws elbv2 modify-listener-attributes 
--listener-arn <ARN> --attributes 
Key=[Headers From renaming headers section].header_name 
Value="desired_header_field_name"

Renaming ALB-generated mTLS and TLS header fields—without changing their values—allows users to utilize header names that align with existing TLS-related application code. Users can rename any of the TLS header fields using a listener attribute API call or through the AWS console.

HTTP Strict-Transport-Security and Cross-Origin Resource Sharing

Another highly requested use case involves inserting headers such as HTTP Strict-Transport-Security (HSTS) and Cross-Origin Resource Sharing (CORS) at the ALB level. This empowers ALB users to meet essential security and compliance requirements. The insertion of the HSTS header enhances security by enforcing HTTPS across all client connections, safeguarding against man-in-the-middle attacks and ensuring compliance with industry regulations like PCI DSS and HIPAA. One significant advantage of this feature is that it allows ALB users to meet security standards without modifying the underlying application code. Similarly, inserting CORS headers facilitates secure cross-origin resource sharing, enabling controlled access between different domains in modern web applications. This simplifies the management of cross-origin policies across multiple services, ensuring that only authorized credentials can access sensitive resources.

To insert security or CORS headers for cross-origin compliance, you can use:

aws elbv2 modify-listener-attributes 
--listener-arn <ARN> --attributes 
Key=routing.http.response."Headers From insert headers section".header_name 
Value="desired_value"

Server Header

Another critical security application involves disabling the server header, especially for organizations that enforce strict security and privacy policies mandated by PCI DSS. This ensures that server information isn’t inadvertently revealed. ALB’s header modification capability allows you to disable the “Server” header in responses from the ALB. Moreover, it diminishes the exposure of server-specific information, preventing automated scanning tools or attackers from exploiting known vulnerabilities in particular server software. Centralized management at the ALB level enables organizations to uniformly apply the same security standards across applications, streamlining security operations to ensure consistent protection.

This configuration can prevent the exposure of server information, such as “awselb/2.0,” in responses, providing an additional layer of security:

aws elbv2 modify-listener-attributes 
--listener-arn <ARN> --attributes 
Key=routing.http.response.server.enabled 
Value="true|false"

ALB only adds the server header info with the value “awselb/2.0” when the target response lacks a server header. With the server header disable feature, users can have ALB omit the server header info in the response. If the target response already contains a server header, it is still proxied to the client.

Solution Overview

To enable these features at scale, you can implement a solution that queries ALBs in an AWS Region based on the provided tag and modifies the headers of your choice for all the ALBs with that specific tag. This solution deploys an AWS Lambda function to modify ALB headers en masse. The solution can be executed multiple times by adjusting the environment variables associated with Lambda. If you’re looking for more comprehensive insights, check out this blog post for additional information.

Solution Deployment

You can deploy this solution into your AWS account via an AWS CloudFormation template.

Prerequisites

For this walkthrough, you should have an AWS account.

Steps to Deploy the CloudFormation Template

  1. Download the YAML file.
  2. Navigate to the CloudFormation console in your AWS account.
  3. Choose Create stack.
  4. Select “Template is ready,” upload a template file, and navigate to the downloaded YAML file.
  5. Click Next.
  6. Assign a stack name (max. length 30 characters), and click Next.
  7. For the “ALBAttributeName” parameter, enter the ALB Header to be updated or added. For the “ALBAttributeValue,” enter a custom ALB Header to replace the default header. For the “TagKey,” input the tag key used to list ALBs, and for the “TagValue,” enter the tag value used to list ALBs in the region. These are optional parameters that can be set on the Lambda function.
  8. Add tags if desired, and click Next.
  9. Scroll to Capabilities at the screen’s bottom, check the box acknowledging that AWS CloudFormation might create IAM resources with custom names, and then click Create stack.
  10. Wait for the stack creation to complete.

Once the CloudFormation template deploys the Lambda function, adjust the environment variables of the Lambda function and execute it to modify ALB headers as needed for all ALBs in a Region with a specific tag. For further guidance, this YouTube video serves as an excellent resource.

Conclusion

The new ALB Header Modification features provide substantial flexibility in managing HTTP headers: whether it’s renaming TLS-related headers for compatibility, disabling the server header for enhanced security, or inserting specific security-related headers to enforce compliance. You can utilize the AWS CLI modify-listener-attributes command for individual ALBs, or implement the aforementioned solution to manage this at scale for ALBs in your account and region. These features empower administrators to fine-tune traffic management while maintaining security, and enabling seamless operations across complex cloud environments.

About the Authors

Alex Johnson
Alex Johnson is a Senior Technical Account Manager (TAM) at AWS, dedicated to assisting customers in achieving their objectives in cloud solutions.

Maria Thompson
Maria Thompson is a Cloud Solutions Architect at AWS, specializing in networking and security.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *