The web server must use HTTP/2, at a minimum.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-264362 | SRG-APP-000439-WSR-000192 | SV-264362r984431_rule | CCI-002418 | medium |
| Description | ||||
| HTTP/2, like HTTPS, enhances security compared to HTTP/1.x by minimizing the risk of header-based attacks (e.g., header injection and manipulation). Websites that fully utilize HTTP/2 are inherently protected and defend against smuggling attacks. HTTP/2 provides the method for specifying the length of a request, which removes any potential for ambiguity that can be leveraged by an attacker. This is applicable to all web architectures such as load balancing/proxy use cases. - The front-end and back-end servers should both be configured to use HTTP/2. - HTTP/2 must be used for communications between web servers. - Browser vendors have agreed to only support HTTP/2 only in HTTPS mode, thus TLS must be configured to meet this requirement. TLS configuration is out of scope for this requirement. | ||||
| STIG | Date | |||
| Web Server Security Requirements Guide | 2025-02-12 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
SC-8
1.00
- DISA · 4 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.13.8
1.00
- DISA · 4 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-002418
1.00
- DISA · 4 · disa_xccdf · related
Details
Check Text (C-264362r984431_chk)
Verify the web server uses HTTP/2.
If the web server does not use HTTP/2 at a minimum, this is a finding.
Fix Text (F-68183r984430_fix)
Configure the web server to use HTTP/2, at a minimum.
Note that browsers support HTTP/2 only in HTTPS mode. The tunneling of HTTP/1.x through HTTPS is not an approved configuration.