Ensure Web App uses the latest version of HTTP

Error: Web App does not use the latest version of HTTP

Bridgecrew Policy ID: BC_AZR_NETWORKING_8
Checkov Check ID: CKV_AZURE_18
Severity: MEDIUM

Web App does not use the latest version of HTTP

Description

Periodically, new versions of HTTP are released to address security flaws and include additional functionality. HTTP 2.0 has additional performance improvements on the head-of-line blocking problem of the older HTTP version, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism, as it provides its own more efficient mechanisms for data streaming.

We recommend you use the latest HTTP version for web apps and take advantage of any security fixes and new functionalities featured. With each software installation you can determine if a given update meets your organization's requirements. Organizations should verify the compatibility and support provided for any additional software, assessing the current version against the update revision being considered.

Fix - Runtime

Azure Portal

To change the policy using the Azure Portal, follow these steps:

  1. Log in to the Azure Portal at https://portal.azure.com.
  2. Navigate to App Services.
  3. For each Web App, click App.
    a) Navigate to Setting section.
    b) Click Application Settings.
    c) Navigate to General Settings section.
    d) Set HTTP version to 2.0.

📘

Note

Most modern browsers support the HTTP 2.0 protocol over TLS only, with non-encrypted traffic using HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either by an App Service Certificate for your app's custom domain or by binding a third party certificate.

CLI Command

To set HTTP 2.0 version for an existing app, use the following command:

az webapp config set 
--resource-group <RESOURCE_GROUP_NAME> 
--name <APP_NAME>
--http20-enabled true

Fix - Buildtime

Terraform

  • Resource: azurerm_app_service
  • Argument: http2_enabled
resource "azurerm_app_service" "example" {
    ...

+    site_config {
+        http2_enabled = true
    }
}