The web server must use HTTP/2, at a minimum.

STIG ID: SRG-APP-000439-WSR-000192  |  SRG: SRG-APP-000439 |  Severity: medium (CAT II)  |  CCI: CCI-002418 |  Vulnerability Id: V-264362

Vulnerability Discussion

HTTP/2, like HTTPS, enhances security compared to HTTP/1.x by minimizing the risk of header-based attacks (e.g., header injection and manipulation).

Websites that fully utilize HTTP/2 are inherently protected and defend against smuggling attacks. HTTP/2 provides the method for specifying the length of a request, which removes any potential for ambiguity that can be leveraged by an attacker.

This is applicable to all web architectures such as load balancing/proxy use cases.
- The front-end and back-end servers should both be configured to use HTTP/2.
- HTTP/2 must be used for communications between web servers.
- Browser vendors have agreed to only support HTTP/2 only in HTTPS mode, thus TLS must be configured to meet this requirement. TLS configuration is out of scope for this requirement.

Check

Verify the web server uses HTTP/2.

If the web server does not use HTTP/2 at a minimum, this is a finding.

Fix

Configure the web server to use HTTP/2, at a minimum.

Note that browsers support HTTP/2 only in HTTPS mode. The tunneling of HTTP/1.x through HTTPS is not an approved configuration.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.