What does ALB consider a "valid" header field

Question

As of 2019-11-13, the ELB LoadBalancerAttribute documentation reads

The following attributes are supported by only Application Load Balancers....

routing.http.drop_invalid_header_fields.enabled - Indicates whether HTTP headers with invalid header fields are removed by the load balancer (true) or routed to targets (false). The default is true.

Are the validation rules for header fields different than the rules defined in RFC 7230? If so, are the differences documented anywhere?

Edit: Jon Zobrist reports that the default is false as of 8 PM PST (Nov 13).

Yes, the change was reverted -- see edit. – VoiceOfUnreason Nov 14 '19 at 06:16 — VoiceOfUnreason, Nov 14 '19 at 06:16

score 4 · Answer 1 · answered Jul 08 '21 at 10:14

4

IF your header has an underscore in it then its invalid. We faced this issue with our header which we named as app_token

answered Jul 08 '21 at 10:14

VIJ

1,516
1
18
34

score 3 · Answer 2 · edited Oct 07 '21 at 10:55

All AWS documentation seems to point to these standards: RFC 7230 section 3.2, RFC 822 section 3.1, and RFC 2616 section 4.2. So I would confidently say that No, there are no validation rules for header fields different than the rules defined in those RFCs.

As long as each header field consists of a case-insensitive field name followed by a colon (":"), optional leading whitespace, the field value, and optional trailing whitespace you should be good to go; which is basically what's defined in RFC 7230 section 3.2 (https://www.rfc-editor.org/rfc/rfc7230#section-3.2)

Fields are separated by a carriage return (CR) and a line feed (LF).

Wikipedia has a good list of standard and common non-standard header fields: https://en.wikipedia.org/wiki/List_of_HTTP_header_fields

Other RFCs links:

https://www.rfc-editor.org/rfc/rfc822#section-3.1

https://www.rfc-editor.org/rfc/rfc2616#section-4.2

Note that underscores in header name are NOT allowed: https://forums.aws.amazon.com/thread.jspa?messageID=923182 — explunit, Dec 20 '19 at 21:37

VoiceOfUnreason · Answer 3 · 2020-07-06T11:39:23.750

1

One place the AWS definition is currently documented : a ticket in the AWS Forum, describing the November 13 revert.

ALB removes header "access_token" from incoming request

We consider standard headers to only include alphanumeric characters and hyphens

edited Jul 06 '20 at 11:39

answered Nov 14 '19 at 06:38

VoiceOfUnreason

52,766
5
49
91

2

That link is to the error page for the forum telling you to sign in; its usually better to paste the answer in the answer :) – Chris McKee Jan 10 '20 at 15:04
I'm guessing the post he referenced was [this one](https://forums.aws.amazon.com/message.jspa?messageID=923401). – guessimtoolate Jul 06 '20 at 07:30
Thank you, I've updated the answer to match that link. – VoiceOfUnreason Jul 06 '20 at 11:39
The ALB access logs does not log the headers which are received in the request. Is there any other way to log the headers and check what exactly is the issue with the headers. – user1 Aug 16 '21 at 11:11
Note that the source link in this answer, as well as the link in the comment from @guessimtoolate, are both dead. – Chris Harrington Nov 17 '22 at 21:33

What does ALB consider a "valid" header field

3 Answers3