SecurityHub ELB.4 - DropHttpHeaders Default to false - support bool routing.http.drop_invalid_header_fields.enabled

[riverad03]

Problem to Solve

Security Hub Issue ELB.4 can not be supported without the support of the drop_invalid_header_fields.enabled bool configuration Allowing for this change to ALB configurations of Kube clusters. This control evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop http headers. By default, ALBs are not configured to drop invalid http header values.

What is the goal of the topic? (optional)

configure an ALB to dropInvalidHttpHeaders when the annotation zalando.org/aws-load-balancer-drop-headers is configured to true.

Impact

This will allow Security Hub Issue ELB.4 to be supported in Kubernetes Ingress and RouteGroups

Solution

What needs to be changed

Change code that manages ALB configuration for Kube Clusters and allow for the dropInvalidHttpHeaders.enabled value to be set, and then implement the configuration change on the ALB implementation code to support the configuration

Create test cases for this configuration

Acceptance Criteria

Test run showing the setting set, and the mock has the value set or not set

[szuecs]

As far as I understand you want to change ALB attributes https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_LoadBalancerAttribute.html The feature request should allow to define an annotation to set LB Attribute routing.http.drop_invalid_header_fields.enabled.