Enable HTTP header modification for your Application Load Balancer - Elastic Load Balancing
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enable HTTP header modification for your Application Load Balancer

Header modification is turned off by default and must by enabled on each listener.

To enable header modification using the console

  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. On the navigation pane, choose Load Balancers.

  3. Select the Application Load Balancer.

  4. On the Listeners and rules tab, select your listener.

  5. On the Attributes tab, select Edit.

    Note: Listener attributes are organized into groups. You choose how many features you want to enable.

  6. [HTTPS listeners] Modifiable mTLS/TLS header names

    1. Expand Modifiable mTLS/TLS header names.

    2. Enable and provide names for all request headers you'd like to modify. For more information, see Rename mTLS/TLS headers.

  7. Add response headers

    1. Expand Add response headers.

    2. Enable and provide values for all response headers you'd like to add. For more information, see Add response headers.

  8. ALB server response header

    1. Enable or disable Server header.

  9. Choose Save changes.

To enable header modification using the Amazon CLI

Use the modify-listener-attributes command with the following attributes:

routing.http.request.x_amzn_mtls_clientcert_serial_number.header_name

Modify the header name of X-Amzn-Mtls-Clientcert-Serial-Number.

routing.http.request.x_amzn_mtls_clientcert_issuer.header_name

Modify the header name of X-Amzn-Mtls-Clientcert-Issuer.

routing.http.request.x_amzn_mtls_clientcert_subject.header_name

Modify the header name of X-Amzn-Mtls-Clientcert-Subject.

routing.http.request.x_amzn_mtls_clientcert_validity.header_name

Modify the header name of X-Amzn-Mtls-Clientcert-Validity.

routing.http.request.x_amzn_mtls_clientcert_leaf.header_name

Modify the header name of X-Amzn-Mtls-Clientcert-Leaf.

routing.http.request.x_amzn_mtls_clientcert.header_name

Modify the header name of X-Amzn-Mtls-Clientcert.

routing.http.request.x_amzn_tls_version.header_name

Modify the header name of X-Amzn-Tls-Version.

routing.http.request.x_amzn_tls_cipher_suite.header_name

Modify the header name of X-Amzn-Tls-Cipher-Suite.

routing.http.response.server.enabled

Indicates whether to allow or remove the HTTP response server header.

routing.http.response.strict_transport_security.header_value

Add the Strict-Transport-Security header to inform browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.

routing.http.response.access_control_allow_origin.header_value

Add the Access-Control-Allow-Origin header to specify which origins are allowed to access the server.

routing.http.response.access_control_allow_methods.header_value

Add the Access-Control-Allow-Methods header to specify which HTTP methods are allowed when accessing the server from a different origin.

routing.http.response.access_control_allow_headers.header_value

Add the Access-Control-Allow-Headers header to specify which headers are allowed during a cross-origin request.

routing.http.response.access_control_allow_credentials.header_value

Add the Access-Control-Allow-Credentials header to indicate whether the browser should include credentials such as cookies or authentication in cross-origin requests.

routing.http.response.access_control_expose_headers.header_value

Add the Access-Control-Expose-Headers header to indicate which headers the browser can expose to the requesting client.

routing.http.response.access_control_max_age.header_value

Add the Access-Control-Max-Age header to specify how long the results of a preflight request can be cached, in seconds.

routing.http.response.content_security_policy.header_value

Add the Content-Security-Policy header to specify restrictions enforced by the browser to help minimize the risk of certain types of security threats.

routing.http.response.x_content_type_options.header_value

Add the X-Content-Type-Options header to indicate whether the MIME types advertised in the Content-Type headers should be followed and not be changed.

routing.http.response.x_frame_options.header_value

Add the X-Frame-Options header to indicate whether the browser is allowed to render a page in a frame, iframe, embed, or object.