Description:

Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.


Rationale:

Newer versions may contain security enhancements and additional functionality. Using the latest version is recommended to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements and also verify the compatibility and support provided for any additional software against the update revision that is selected.

HTTP 2.0 has additional performance improvements on the head-of-line blocking problem of the old HTTP version, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism, as it provides its own, more efficient, mechanisms for data streaming.

Impact:

Ensure that your Microsoft Azure App Service web applications are using the latest version of the HTTP protocol (i.e. HTTP/2) to make your web applications load faster. HTTP 2.0 represents a major upgrade of the HTTP/1.1 protocol, that has the primary goal of reducing the impact of latency and connection load on web servers by implementing full request and response multiplexing, minimizing protocol overhead via compression of HTTP header fields, and adding support for HTTP request prioritization and server push.

Default Value:

By default, HTTP 1.1 version will be used when creating a new app using the command-line tool or the Azure Portal console.


Test Plan:

From Azure Console

  1. Login to Azure Portal 

  2. Go to App Services

  3. Click on each App

  4. Under the Setting section, Click on Configuration

  5. Ensure that HTTP Version set to 2.0 version under General settings

NOTE: Most modern browsers support HTTP 2.0 protocol over TLS only, while non- encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third-party certificate.


Using Azure Command Line Interface

To check HTTP 2.0 version status for an existing app, run the following command,

az webapp config show --resource-group <RESOURCE_GROUP_NAME> --name
<APP_NAME> --query http20Enabled


The output should return true if HTTPS 2.0 traffic value is set to On.


Remediation:

From Azure Console

  1. Login to Azure Portal 

  2. Go to App Services

  3. Click on each App

  4. Under Setting section, Click on Configuration

  5. Set HTTP version to 2.0 under General settings

NOTE: Most modern browsers support HTTP 2.0 protocol over TLS only, while non- encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third party certificate.


Using Azure Command Line Interface

To set HTTP 2.0 version for an existing app, run the following command:

az webapp config set --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME>
--http20-enabled true


Backout Plan:

  1. Go to App Services

  2. Click on each App

  3. Under Setting section, Click on Configuration

  4. Ensure that HTTP Version set to 1.1 version under General settings(how we can revoke the changes)


References:

  1. https://docs.microsoft.com/en-us/azure/app-service/web-sites- configure#general-settings

  2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate- software-vulnerabilities

  3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for- compute-resources