Enhancing Request Handling with Custom Headers in AWS WAF

[post-views]
December 06, 2024 · 2 min read
Enhancing Request Handling with Custom Headers in AWS WAF

AWS WAF allows you to insert custom headers into HTTP requests for non-blocking actions. This feature enables tailored downstream processing or request flagging for analysis without modifying or replacing the original request content.

Use Cases and Applicable Actions

Custom headers are used to signal downstream applications or flag requests for further analysis. They can be applied with the following non-blocking rule actions: Allow, Count, CAPTCHA, and Challenge, as well as with the default web ACL Allow action. Unlike blocking rules, these actions let requests proceed with added information.

Custom Header Behavior

Header Names

  • All custom headers are prefixed with x-amzn-waf- to differentiate them from the original request headers.
  • Example: A custom header named sample is inserted as x-amzn-waf-sample.

Overwriting Existing Headers

  • If the original request includes a header with the same name, AWS WAF overwrites it.
  • In cases where multiple rules define headers with the same name, the rule processed last overwrites previous entries.

Interaction with Rule Actions

  • Count action: Allows continued rule processing so subsequent rules can insert additional headers.
  • CAPTCHA and Challenge: Once a request passes validation, further rules may also add headers.

Example:

  • RuleA (Count): Adds x-amzn-waf-RuleAHeader.
  • RuleB (Allow): Adds x-amzn-waf-RuleBHeader.

Inspection Order

Custom headers are added after AWS WAF finishes inspecting the request. As such, headers inserted by a Count action rule are not evaluated by subsequent rules. Here is an example of custom request handling:

{
 "Name": "ExampleWebACL",
 "Scope": "REGIONAL",
 "DefaultAction": {
  "Allow": {
   "CustomRequestHandling": {
    "InsertHeaders": [
     {
      "Name": "HeaderA",
      "Value": "foo"
     },
     {
      "Name": "HeaderB",
      "Value": "bar"
     }
    ]
   }
  }
 },
 "Description": "Sample web ACL.",
 "Rules": [],
 "VisibilityConfig": {
  "SampledRequestsEnabled": true,
  "CloudWatchMetricsEnabled": true,
  "MetricName": "ExampleWebACL"
 }
}

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts