Description

Periodically, newer HTTP versions are released either due to security flaws or to include additional functionality. Use the latest HTTP version for web apps to take advantage of security fixes and new functionality.

Rationale

Newer versions may contain security enhancements and additional functionality. Using the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements. They must also verify the compatibility and support provided for any additional software against the update revision that is selected.

HTTP 2.0 improves performance over older HTTP versions by addressing head-of-line blocking, enabling header compression, and supporting request prioritization. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism, as it provides its own, more efficient mechanisms for data streaming.

Impact

Most modern browsers support HTTP 2.0 protocol over TLS only, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third-party certificate.

Audit

From Azure Portal

1. Log in to the Azure portal using https://portal.azure.com.
2. Go to App Services.
3. Select each app.
4. Under Settings, select Configuration.
5. Ensure HTTP Version is set to 2.0 under General settings.

Note: Most modern browsers support HTTP 2.0 over TLS only, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third-party certificate.

From Azure CLI

To check HTTP 2.0 version status for an existing app, run the following command:

az webapp config show \
    --resource-group {{resource-group-name}} \
    --name {{app-name}} \
    --query http20Enabled

The output should return true if HTTP/2 is enabled.

From PowerShell

For each application, run the following command:

Get-AzWebApp `
    -ResourceGroupName {{resource-group-name}} `
    -Name {{app-name}} |
    Select-Object -ExpandProperty SiteConfig

If the value of the Http20Enabled setting is true, the application is compliant.

Otherwise, if the value of the Http20Enabled setting is false, the application is non-compliant.

From Azure Policy

If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure.

• Policy ID: e2c1c086-2d84-4019-bff3-c44ccd95113c - Name: Function apps should use latest 'HTTP Version'
• Policy ID: 8c122334-9d20-4eb8-89ea-ac9a705b74ae - Name: App Service apps should use latest 'HTTP Version'

References

1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings
2. https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-posture-vulnerability-management#pv-3-define-and-establish-secure-configurations-for-compute-resources
3. https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-posture-vulnerability-management#pv-6-rapidly-and-automatically-remediate-vulnerabilities