4.1.13 Ensure HTTP/2.0 is used

Information

HTTP/2.0 is an optimized and more secure version of the HTTP protocol. It should be enabled so users can take advantage of it.

Note: Legacy user agents may not be able to connect to a server using HTTP/2.0.

Rationale:

HTTP/2.0 introduces both performance benefits through full multiplexing and several security benefits. HTTP/2.0 has improved cipher suite requirements and denylists. It also disables session renegotiation and TLS compression. This helps protect against vulnerabilities like CRIME and ensures we have stronger encryption.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Open the nginx server configuration file and configure all listening ports with http2, similar to that of this example:

server {
listen 443 ssl http2;
}

Default Value:

By default, HTTP/1.1 is used.

See Also

https://workbench.cisecurity.org/files/4212