Rule ID
SV-284928r1212129_rule
Version
V1R1
HTTP/2, like HTTPS, enhances security compared to HTTP/1.x by minimizing the risk of header-based attacks (e.g., header injection and manipulation). Websites that fully use HTTP/2 are inherently protected and defend against smuggling attacks. HTTP/2 provides the method for specifying the length of a request, which removes any potential for ambiguity that can be leveraged by an attacker. This is applicable to all web architectures such as load balancing/proxy use cases. - The front-end and back-end servers should both be configured to use HTTP/2. - HTTP/2 must be used for communications between web servers. - Browser vendors have agreed to only support HTTP/2 only in HTTPS mode; thus, TLS must be configured to meet this requirement. TLS configuration is out of scope for this requirement.
Verify HTTP/1.x downgrading is disabled. Navigate to Sysadmin Console >> Network >> HTTP Version >> Select >> Yes to Warning >> OK. If the message displayed states "There are no changes to HTTP/2 settings.", then HTTP/1.x has been disabled. If the HTTP/1.x downgrading is enabled, this is a finding.
Configure the Cisco SNA Appliance to use HTTP/2. Navigate to Sysadmin Console >> Network >> HTTP Version >> Select >> Yes to Warning >> OK.