Posted On: Jun 5, 2023

AWS WAF now supports the Header Order match statement, enabling customers to specify the order in which HTTP headers appear in a request. With this feature, customers can further strengthen their access control measures by verifying additional dimensions of request metadata.

Customers could already use WAF match statements to inspect the contents of request headers and compare its origin against the provided criteria. Previously, customers have relied on various workarounds to inspect the order of headers in incoming requests, such as custom scripts or additional layers of infrastructure. Now, with the Header Order match statement, customers can seamlessly control the order of headers in incoming requests within WAF rules. For instance, browsers with the same HTTP protocol version usually send HTTP headers in a certain order. If the browser type indicated by the “User-Agent” header does not correspond to the order of the request headers, then the request may not be coming from the claimed source. With the Header Order match statement, customers can create a rule that checks for specific headers and enforces a specific order, such as “Content-Type” followed by “Authorization”.

There is no additional cost for using this feature, however, standard AWS WAF charges still apply. For more information about pricing, visit the AWS WAF Pricing page. It is available in all AWS Regions where AWS WAF is available and for each supported service, including Amazon CloudFront, Application Load Balancer, Amazon API Gateway, AWS AppSync, and Amazon Cognito. To learn more, see the AWS WAF developer guide.