Skip to main content

๐Ÿ›ก๏ธ Azure App Service does not run the latest HTTP version๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ App Service does not run the latest HTTP version๐ŸŸข
  • ID: /ce/ca/azure/app-service/latest-http-version
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY, RELIABILITY, PERFORMANCE

Logicโ€‹

Similar Policiesโ€‹

Similar Internal Rulesโ€‹

RulePoliciesFlags
โœ‰๏ธ dec-x-345591b31

Descriptionโ€‹

Open File

Descriptionโ€‹

Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.

Rationaleโ€‹

Newer versions may contain security enhancements and additional functionality. Using the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements. They must also verify the compatibility and support provided for any additional software against the update revision that is selected.

HTTP 2.0 has additional performance improvements on the head-of-line blocking problem of old HTTP version, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism, as it provides its own, more efficient, mechanisms for data streaming.

Impactโ€‹

Most modern browsers support HTTP 2.0 protocol over TLS only, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third-party certificate.

... see more

Remediationโ€‹

Open File

Remediationโ€‹

From Azure Portalโ€‹

  1. Login to Azure Portal using https://portal.azure.com.
  2. Go to App Services.
  3. Click on each App.
  4. Under Setting section, Click on Configuration.
  5. Set HTTP version to 2.0 under General settings.

NOTE: Most modern browsers support HTTP 2.0 protocol over TLS only, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third party certificate.

From Azure CLIโ€‹

To set HTTP 2.0 version for an existing app, run the following command:

az webapp config set --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --http20-enabled true

From PowerShellโ€‹

To enable HTTP 2.0 version support, run the following command:

Set-AzWebApp -ResourceGroupName <app resource group> -Name <app name> -Http20Enabled $true

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 36h patch management controls โ€” to manage the assessment and application of patches and other updates that address known vulnerabilities in a timely manner;77no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 40 An important aspect of information asset life-cycle management involves minimising vulnerabilities and maintaining support. Information security exposures could arise from hardware and software which is outdated or has limited or no support (whether through a third party, a related party or in-house). Technology that is end-of-life5 , out-of-support or in extended support is typically less secure by design, has a dated security model and can take longer, or is unable, to be updated to address new threats.77no data
๐Ÿ’ผ CIS Azure v2.1.0 โ†’ ๐Ÿ’ผ 9.8 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App - Level 1 (Automated)1no data
๐Ÿ’ผ CIS Azure v3.0.0 โ†’ ๐Ÿ’ผ 9.10 Ensure that 'HTTP20enabled' is set to 'true' (if in use) (Automated)1no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ Infrastructure Modernization16no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SI-2(6) Flaw Remediation _ Removal of Previous Versions of Software and Firmware66no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SI-7(12) Software, Firmware, and Information Integrity _ Integrity Verification1921no data
๐Ÿ’ผ UK Cyber Essentials โ†’ ๐Ÿ’ผ 3.1 All software on in-scope devices must be licensed and supported66no data