Enhancing Request Handling with Custom Headers in AWS WAF

AWS WAF allows you to insert custom headers into HTTP requests for non-blocking actions. This feature enables tailored downstream processing or request flagging for analysis without modifying or replacing the original request content.

Use Cases and Applicable Actions

Custom headers are used to signal downstream applications or flag requests for further analysis. They can be applied with the following non-blocking rule actions: Allow, Count, CAPTCHA, and Challenge, as well as with the default web ACL Allow action. Unlike blocking rules, these actions let requests proceed with added information.

Custom Header Behavior

Header Names

All custom headers are prefixed with x-amzn-waf- to differentiate them from the original request headers.
Example: A custom header named sample is inserted as x-amzn-waf-sample.

Overwriting Existing Headers

If the original request includes a header with the same name, AWS WAF overwrites it.
In cases where multiple rules define headers with the same name, the rule processed last overwrites previous entries.

Interaction with Rule Actions

Count action: Allows continued rule processing so subsequent rules can insert additional headers.
CAPTCHA and Challenge: Once a request passes validation, further rules may also add headers.

Example:

RuleA (Count): Adds x-amzn-waf-RuleAHeader.
RuleB (Allow): Adds x-amzn-waf-RuleBHeader.

Inspection Order

Custom headers are added after AWS WAF finishes inspecting the request. As such, headers inserted by a Count action rule are not evaluated by subsequent rules. Here is an example of custom request handling:

{
 "Name": "ExampleWebACL",
 "Scope": "REGIONAL",
 "DefaultAction": {
  "Allow": {
   "CustomRequestHandling": {
    "InsertHeaders": [
     {
      "Name": "HeaderA",
      "Value": "foo"
     },
     {
      "Name": "HeaderB",
      "Value": "bar"
     }
    ]
   }
  }
 },
 "Description": "Sample web ACL.",
 "Rules": [],
 "VisibilityConfig": {
  "SampledRequestsEnabled": true,
  "CloudWatchMetricsEnabled": true,
  "MetricName": "ExampleWebACL"
 }
}

The post Enhancing Request Handling with Custom Headers in AWS WAF appeared first on SOC Prime.

Use Cases and Applicable Actions

Custom Header Behavior

Header Names

Overwriting Existing Headers

Interaction with Rule Actions

Inspection Order

Related Posts

China-Backed APT Attack Detection: Withstanding the Escalating Sophistication & Maturity of Chinese State-Sponsored Offensive Operations Based on the Recorded Future’s Insikt Group Research

BlackCat aka ALPHV Attack Detection: Hackers Abuse Malvertising to Spread Malware and Leverage SpyBoy Terminator to Hinder Security Protection

Adding Processing Timestamp and Hostname in Logstash Using Ruby

Practical Guide to Converting IOCs to SIEM Queries with Uncoder AI