The web server must disable HTTP/1.x downgrading.

Description

<VulnDiscussion>HTTP/2 is backward compatible with HTTP/1.x, so it is possible to configure the architecture to implement a front-end server for HTTP/2 while communicating with one or more back-end servers that support only HTTP/1.x. Thus, the front end effectively has to translate or downgrade the requests it receives into the less secure protocol. HTTP downgrading negates the benefits of HTTP/2. If HTTP downgrading cannot be avoided, validate the rewritten/downgraded request against the HTTP/1.1 specification. For example, reject requests that contain newlines in the headers, colons in header names, and spaces in the request method.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>