- Newest
- Most votes
- Most comments
Note AWS team this is being reported by Penetration Testing firms as an information disclosure vulnerability. Request that action is taken to address..
Unfortunately, there is no option to remove the header at this time. If you deploy 3rd Party Solution like F5 WAF, you can cloak server information.
Can we hide or change that awselb/2.0 to other name.
What is the possibility of using AWS WAF to hide the server information sent in the HTTP response? If yes, is there a resource showcasing how it can be performed?
It's not customizable at the moment. A workaround would be to front the ALB with CloudFront and use edge functions to override the Server
header with none, as briefly illustrated here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html#lambda-examples-overriding-response-header
What is the possibility of using AWS WAF to hide the server information sent in the HTTP response? If yes, is there a resource showcasing how it can be performed?
Please use Amazon CloudFront's Response Headers Policies. See my response to a similar question on re:Post, How to prevent "awselb/2.0" server information exposure in HTTP response header.
Please note that AWS WAF is inspecting the incoming HTTP traffic (requests, not responses).
Relevant content
- AWS OFFICIALUpdated 17 days ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Same on our side. AWS team please prioritize it.
What is the possible vulnerability and its exploitations if AWS manages the elb and keeps it up-to-date with latest patches. Is there any resource to know the successful/unsuccessful attacks due to this?