feat(elbv2): add dropInvalidHeaderFields for elbv2 (#22466)

clueleaf · web-flow · commit 91767f03e76d · 2022-10-19T17:02:32.000Z
Dropping invalid HTTP headers is recommended and also appears in Security Hub controls as [ELB.4](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-elb-4) Attribute document: https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_LoadBalancerAttribute.html ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts
@@ -43,6 +43,14 @@ export interface ApplicationLoadBalancerProps extends BaseLoadBalancerProps {
    * @default 60
    */
   readonly idleTimeout?: Duration;
+
+  /**
+   * Indicates whether HTTP headers with invalid header fields are removed
+   * by the load balancer (true) or routed to targets (false)
+   *
+   * @default false
+   */
+  readonly dropInvalidHeaderFields?: boolean;
 }
 
 /**
@@ -100,6 +108,7 @@ export class ApplicationLoadBalancer extends BaseLoadBalancer implements IApplic
 
     if (props.http2Enabled === false) { this.setAttribute('routing.http2.enabled', 'false'); }
     if (props.idleTimeout !== undefined) { this.setAttribute('idle_timeout.timeout_seconds', props.idleTimeout.toSeconds().toString()); }
+    if (props.dropInvalidHeaderFields) {this.setAttribute('routing.http.drop_invalid_header_fields.enabled', 'true'); }
   }
 
   /**
diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts
@@ -81,6 +81,7 @@ describe('tests', () => {
       deletionProtection: true,
       http2Enabled: false,
       idleTimeout: cdk.Duration.seconds(1000),
+      dropInvalidHeaderFields: true,
     });
 
     // THEN
@@ -98,6 +99,10 @@ describe('tests', () => {
           Key: 'idle_timeout.timeout_seconds',
           Value: '1000',
         },
+        {
+          Key: 'routing.http.drop_invalid_header_fields.enabled',
+          Value: 'true',
+        },
       ],
     });
   });
