How to use AWS WAF to prevent "awselb/2.0" server information exposure in HTTP response header?

Please consider using CloudFront's native feature Response Headers Policy to remove the header. Yes, you can manipulate headers with edge compute too (CloudFront Functions, Lambda@Edge), but native features, such as Response Header Policies should be preferred whenever possible, as they are free of charge and generally faster to execute.

Removing headers is not possible on "pure ALB" today - a reverse proxy, like Amazon CloudFront, is very often used for such modifications to the HTTP requests and responses.

By putting CloudFront in front of your Load Balancer, you'll gain access to new capabilities of the AWS CDN (content delivery network), such as policies. It is easy to set up for dynamic content (just disable caching using a managed CachingDisabled cache policy), and it has further cost and performance benefits:

• reduce cost of data delivery, because of the Always Free 1TB of data per month, lower Data Transfer Out cost per GB, comparing to regional resources like ALBs, and further options, like CloudFront Savings Bundle,
• lower latency between your users (viewers) and the AWS network - take advantage of AWS edge network infrastructure deployed in over 100 countries worldwide. Please see how Slack improved their API response time by 300ms and reduced API latency from 90ms to 15ms,
• persist connections to your application - even if requests are purely dynamic, requests forwarded over persistent connections from CloudFront's edge locations do not need to establish new TCP/TLS connections to the application (ALB). It removes the latency of multiple round trips, maintains scaled TCP windows, and reduces required ALB capacity and cost, because of a lower number of new and active connections,
• serve content over modern internet protocols such as HTTP/3 or TLS1.3, even if your application doesn’t support it.

Currently, ALB does not support modifying or removing this header. Please note that this header does not disclose the version of the software used by the ALB, but the version of Elastic Load Balancer that generated it, an ALB will always return ‘awselb/2.0’.

As a workaround, you may consider using CloudFront and Lambda@Edge to modify the response headers from ALB.

When CloudFront receives an HTTP response from the origin server (which would be ALB in your case), if there is an origin-response trigger associated with the cache behavior, you can modify the HTTP response to override what was returned from the origin. For more information around the same and how to implement this, please refer following documentation links for more details: [1][2][3]

[1] https://docs.aws.amazon.com/lambda/latest/dg/lambda-edge.html

[2] https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html

[3] https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-updating-http-responses.html