Detections
Analytics

4.1.12 Ensure HTTP/3.0 is used

Information

HTTP/2 is the established standard for web communication, offering significant performance benefits over HTTP/1.1 through multiplexing. For 2025 and beyond, HTTP/3 should also be enabled. HTTP/3 operates over the QUIC protocol, which is built on UDP, to solve head-of-line blocking, reduce connection setup time, and improve performance on unreliable networks. Both protocols require a secure TLS 1.3 environment to function.

Enabling HTTP/2 provides a baseline of modern performance via stream multiplexing. Enabling HTTP/3 provides a further competitive advantage by mitigating TCP's head-of-line blocking and offering a faster, more reliable connection handshake, which is especially beneficial for mobile users. A server supporting both protocols can serve the vast majority of modern clients with the best possible performance and security. The strong encryption requirements of both protocols naturally align with a TLS 1.3-only policy.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Prerequisite: Ensure your NGINX version is compiled with the --with-http_v3_module flag.

 - Open your NGINX server configuration file.
 - In the main server block for your HTTPS site, add or modify the directives to enable HTTP/2, HTTP/3, and advertise its availability.
 - Ensure your firewall allows UDP traffic on port 443.

server {
 # 1. Enable HTTP/2 on the standard TCP listener
 listen 443 ssl http2;
 listen [::]:443 ssl http2;

 # 2. Enable HTTP/3 on the UDP listener
 listen 443 quic reuseport;
 listen [::]:443 quic reuseport;

 # ... other ssl directives like ssl_certificate ...

 # 3. Advertise HTTP/3 availability to browsers
 # The max-age (ma) is in seconds (e.g., 2 years)
 add_header Alt-Svc 'h3=\":443\"; ma=63072000';

 # Required for HTTP/3
 ssl_early_data on;
}

Impact:

HTTP/2 has no significant negative impact as it is universally supported by modern clients. Enabling HTTP/3 has operational considerations:

 - NGINX Build: Your NGINX binary must be compiled with HTTP/3 and QUIC support. Standard OS packages may not include this. The repository of NGINX itself has the http_v3 module since NGINX version 1.25.0

 - Run this command and check if the http_v3 module is present

nginx -V 2>&1 | tr ' ' '\n' | grep --color=auto 'with-'
 - Firewall Configuration: You must allow UDP traffic on port 443, as HTTP/3 uses the QUIC protocol over UDP . This is a common oversight that will cause HTTP/3 to fail.

See Also

https://workbench.cisecurity.org/benchmarks/18528

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: be50805e6ea369882b1766219ea17c784500f1d883b4074bc91bbcd6d7930f6b