Remove "server awselb/2.0" header from application responses

Question

During a pentest of one of our apps running behind an AWS API GW the report showed that the API GW returns a "server awselb/2.0" header, which is identified as a risk by the pentesters. To my knowledge there is no way to remove/suppress such a header, but perhaps I am missing something? Is this something anybody else has ever faced?

Answer

Facing the same issue. Is there any WAF that can be used to avoid this issue?

Answer

We are facing the same issue. However we see that since awselb is managed by AWS, they do not have a direct solution yet; but below are how it is possible to be done. Additionally, how many attacks have happened due to this; as elb being managed and patched regularly by AWS.

According to other [re:post](https://repost.aws/questions/QU41Jdv5awSnq9rda-zbNhrQ/how-can-i-remove-aswelb-2-0-in-the-http-response-header) answers, It is not possible to configure the ELB to do not expose that header.

However, as a workaround, you can override the value using [CloudFront edge functions](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html#lambda-examples-overriding-response-header).

Furthermore, we are seeking additional information to know if AWS WAF has the capability of hiding the server info from the response. While there is possibilities of doing this via third party WAFs as per the linked re:post

Answer

It is not possible to hide this header directly on Application Load Balancer. **Use Amazon CloudFront's Response Headers Policies** instead. Please see my response to a similar question on re:Post, on [How to prevent "awselb/2.0" server information exposure in HTTP response header](https://repost.aws/questions/QU1ovkZhQoTim0RjzzazkCPg/how-to-use-aws-waf-to-prevent-awselb-2-0-server-information-exposure-in-http-response-header#ANfbfA3g5pSAOv_yUrE-kfdg).

Remove "server awselb/2.0" header from application responses

Contenido relevante