# HTTP header modification for your Application Load Balancer
HTTP header modification is supported by Application Load Balancers, for both request and response headers. Without having to update your application code, header modification allows you more control over your application's traffic and security.
To enable header modification, see [Enable header modification](enable-header-modification.md).
## Rename mTLS/TLS headers
The header rename capability allows you to configure the names of the mTLS and TLS headers that the Application Load Balancer generates and adds to requests.
This ability to modify HTTP headers enables your Application Load Balancer to easily support applications that use specifically formatted request and response headers.
| Header | Description |
| --- | --- |
| X-Amzn-Mtls-Clientcert-Serial-Number | Ensures that the target can identify and verify the specific certificate presented by the client during the TLS handshake. |
| X-Amzn-Mtls-Clientcert-Issuer | Helps the target validate and authenticate the client certificate by identifying the certificate authority that issued the certificate. |
| X-Amzn-Mtls-Clientcert-Subject | Provides the target with detailed information about the entity the client certificate was issued to, which helps in identification, authentication, authorization, and logging during mTLS authentication. |
| X-Amzn-Mtls-Clientcert-Validity | Allows the target to verify that the client certificate being used is within its defined validity period, ensuring the certificate is not expired or prematurely used. |
| X-Amzn-Mtls-Clientcert-Leaf | Provides the client certificate used in the mTLS handshake, allowing the server to authenticate the client and validate the certificate chain. This ensures the connection is secure and authorized. |
| X-Amzn-Mtls-Clientcert | Carries the full client certificate. Allowing the target to verify the certificate’s authenticity, validate the certificate chain, and authenticate the client during the mTLS handshake process. |
| X-Amzn-TLS-Version | Indicates the version of the TLS protocol used for a connection. It facilitates determining the security level of the communication, troubleshoot connection issues and ensuring compliance. |
| X-Amzn-TLS-Cipher-Suite | Indicates the combination of cryptographic algorithms used to secure a connection in TLS. This allows the server to assess the security of the connection, helping with compatibility troubleshooting, and ensuring compliance with security policies. |
## Add response headers
Using insert headers, you can configure your Application Load Balancer to add security-related headers to responses. With these attributes, you can insert headers including HSTS, CORS, and CSP.
By default, these headers are empty. When this happens, the Application Load Balancer does not modify this response header.
When you enable a response header, the Application Load Balancer adds the header with the configured value to all responses. If the response from target includes the HTTP response header, the load balancer updates the header value to be the configured value. Otherwise, the load balancer adds the HTTP response header to the response with the configured value.
| Header | Description |
| --- | --- |
| Strict-Transport-Security | Enforces HTTPS-only connections by the browser for a specified duration, helping to protect against man-in-the-middle attacks, protocol downgrades and user errors. ensuring all communications between the client and target is encrypted. |
| Access-Control-Allow-Origin | Controls whether resources on a target can be accessed from different origins. This allows secure cross-origin interactions while preventing unauthorized access. |
| Access-Control-Allow-Methods | Specifies the HTTP methods that are allowed when making cross-origin requests to the target. It provides control over which actions can be performed from different origins. |
| Access-Control-Allow-Headers | Specifies which custom or non-simple headers can be included in a cross-origin request. This header gives targets control over which headers can be sent by clients from different origins. |
| Access-Control-Allow-Credentials | Specifies whether the client should include credentials such as cookies, HTTP authentication or client certificates in cross-origin requests. |
| Access-Control-Expose-Headers | Allows the target to specify which additional response headers can be access by the client in cross-origin requests. |
| Access-Control-Max-Age | Defines how long the browser can cache the result of a preflight request, reducing the need for repeated preflight checks. This helps to optimize performance by reducing the number of OPTIONS requests required for certain cross-origin requests. |
| Content-Security-Policy | Security feature that prevents code injection attacks like XSS by controlling which resources such as scripts, styles, images, etc. can be loaded and executed by a website. |
| X-Content-Type-Options | With the no-sniff directive, enhances web security by preventing browsers from guessing the MIME type of a resource. It ensures that browsers only interpret content according to the declared Content-Type |
| X-Frame-Options | Header security mechanism that helps prevent click-jacking attacks by controlling whether a web page can be embedded in frames. Values such as DENY and SAMEORIGIN can ensure that content is not embedded on malicious or untrusted websites. |
## Disable headers
Using disable headers, you can configure your Application Load Balancer to disable the `server:awselb/2.0` header from the responses. This reduces exposure of server specific information, while adding an extra layer of protection to your application.
The attribute name is `routing.http.response.server.enabled`. The available values are `true` or `false`. The default value is `true`.
## Limitations
+ Header values can contain the following characters
+ Alphanumeric characters: `a-z`, `A-Z`, and `0-9`
+ Special characters: `_ :;.,\/'?!(){}[]@<>=-+*#&`|~^%`
+ The value for the attribute can not exceed 1K bytes in size.
+ Elastic Load Balancing performs basic input validations to verify the header value is valid. However the validation is unable to confirm if the value is supported for a specific header.
+ Setting an empty value for any attribute will cause the Application Load Balancer to revert to the default behavior.
# Enable HTTP header modification for your Application Load Balancer
Header modification is turned off by default and must be enabled on each listener. For more information, see [HTTP header modification](header-modification.md).
------
#### [ Console ]
**To enable header modification**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. On the navigation pane, choose **Load Balancers**.
1. Select the Application Load Balancer.
1. On the **Listeners and rules** tab, select the protocol and port to open the details page for your listener.
1. On the **Attributes** tab, select **Edit**.
Listener attributes are organized into groups. You'll choose which features to enable.
1. [HTTPS listeners] **Modifiable mTLS/TLS header names**
1. Expand **Modifiable mTLS/TLS header names**.
1. Enable the request headers to modify and provide names for them. For more information, see [Rename mTLS/TLS headers](header-modification.md#rename-header).
1. **Add response headers**
1. Expand **Add response headers**.
1. Enable the response headers to add and provide values for them. For more information, see [Add response headers](header-modification.md#insert-header).
1. **ALB server response header**
1. Enable or disable **Server header**.
1. Choose **Save changes**.
------
#### [ AWS CLI ]
**To enable header modification**
Use the [modify-listener-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-listener-attributes.html) command. For the list of attributes, see [Header modification attributes](#header-modification-attributes).
```
aws elbv2 modify-listener-attributes \
--listener-arn listener-arn \
--attributes "Key=attribute-name,Value=attribute-value"
```
------
#### [ CloudFormation ]
**To enable header modification**
Update the [AWS::ElasticLoadBalancingV2::Listener](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listener.html) resource to include the attributes. For the list of attributes, see [Header modification attributes](#header-modification-attributes).
```
Resources:
myHTTPlistener:
Type: 'AWS::ElasticLoadBalancingV2::Listener'
Properties:
LoadBalancerArn: !Ref myLoadBalancer
Protocol: HTTP
Port: 80
DefaultActions:
- Type: "forward"
TargetGroupArn: !Ref myTargetGroup
ListenerAttributes:
- Key: "attribute-name"
Value: "attribute-value"
```
------
## Header modification attributes
The following are the header modification attributes supported by Application Load Balancers.
`routing.http.request.x_amzn_mtls_clientcert_serial_number.header_name`
Modify the header name of **X-Amzn-Mtls-Clientcert-Serial-Number**.
`routing.http.request.x_amzn_mtls_clientcert_issuer.header_name`
Modify the header name of **X-Amzn-Mtls-Clientcert-Issuer**.
`routing.http.request.x_amzn_mtls_clientcert_subject.header_name`
Modify the header name of **X-Amzn-Mtls-Clientcert-Subject**.
`routing.http.request.x_amzn_mtls_clientcert_validity.header_name`
Modify the header name of **X-Amzn-Mtls-Clientcert-Validity**.
`routing.http.request.x_amzn_mtls_clientcert_leaf.header_name`
Modify the header name of **X-Amzn-Mtls-Clientcert-Leaf**.
`routing.http.request.x_amzn_mtls_clientcert.header_name`
Modify the header name of **X-Amzn-Mtls-Clientcert**.
`routing.http.request.x_amzn_tls_version.header_name`
Modify the header name of **X-Amzn-Tls-Version**.
`routing.http.request.x_amzn_tls_cipher_suite.header_name`
Modify the header name of **X-Amzn-Tls-Cipher-Suite**.
`routing.http.response.server.enabled`
Indicates whether to allow or remove the HTTP response server header.
`routing.http.response.strict_transport_security.header_value`
Add the **Strict-Transport-Security** header to inform browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.
`routing.http.response.access_control_allow_origin.header_value`
Add the **Access-Control-Allow-Origin** header to specify which origins are allowed to access the server.
`routing.http.response.access_control_allow_methods.header_value`
Add the **Access-Control-Allow-Methods** header to specify which HTTP methods are allowed when accessing the server from a different origin.
`routing.http.response.access_control_allow_headers.header_value`
Add the **Access-Control-Allow-Headers** header to specify which headers are allowed during a cross-origin request.
`routing.http.response.access_control_allow_credentials.header_value`
Add the **Access-Control-Allow-Credentials** header to indicate whether the browser should include credentials such as cookies or authentication in cross-origin requests.
`routing.http.response.access_control_expose_headers.header_value`
Add the **Access-Control-Expose-Headers** header to indicate which headers the browser can expose to the requesting client.
`routing.http.response.access_control_max_age.header_value`
Add the **Access-Control-Max-Age** header to specify how long the results of a preflight request can be cached, in seconds.
`routing.http.response.content_security_policy.header_value`
Add the **Content-Security-Policy** header to specify restrictions enforced by the browser to help minimize the risk of certain types of security threats.
`routing.http.response.x_content_type_options.header_value`
Add the **X-Content-Type-Options** header to indicate whether the MIME types advertised in the **Content-Type** headers should be followed and not be changed.
`routing.http.response.x_frame_options.header_value`
Add the **X-Frame-Options** header to indicate whether the browser is allowed to render a page in a **frame**, **iframe**, **embed**, or **object**.