Check: SRG-APP-000439-WSR-000192
Web Server SRG:
SRG-APP-000439-WSR-000192
(in versions v4 r2 through v3 r3)
Title
The web server must use HTTP/2, at a minimum. (Cat II impact)
Discussion
HTTP/2, like HTTPS, enhances security compared to HTTP/1.x by minimizing the risk of header-based attacks (e.g., header injection and manipulation). Websites that fully utilize HTTP/2 are inherently protected and defend against smuggling attacks. HTTP/2 provides the method for specifying the length of a request, which removes any potential for ambiguity that can be leveraged by an attacker. This is applicable to all web architectures such as load balancing/proxy use cases. - The front-end and back-end servers should both be configured to use HTTP/2. - HTTP/2 must be used for communications between web servers. - Browser vendors have agreed to only support HTTP/2 only in HTTPS mode, thus TLS must be configured to meet this requirement. TLS configuration is out of scope for this requirement.
Check Content
Verify the web server uses HTTP/2. If the web server does not use HTTP/2 at a minimum, this is a finding.
Fix Text
Configure the web server to use HTTP/2, at a minimum. Note that browsers support HTTP/2 only in HTTPS mode. The tunneling of HTTP/1.x through HTTPS is not an approved configuration.
Additional Identifiers
Rule ID: SV-264362r984431_rule
Vulnerability ID: V-264362
Group Title: SRG-APP-000439
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002418 |
Protect the confidentiality and/or integrity of transmitted information. |
Controls
Number | Title |
---|---|
SC-8 |
Transmission Confidentiality and Integrity |