Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Web Server Security Requirements Guide
SRG-APP-000439
The web server must disable HTTP/1.x downgrading.
The web server must disable HTTP/1.x downgrading.
An XCCDF Rule
Details
Profiles
Prose
The web server must disable HTTP/1.x downgrading.
Medium Severity
<VulnDiscussion>HTTP/2 is backward compatible with HTTP/1.x, so it is possible to configure the architecture to implement a front-end server for HTTP/2 while communicating with one or more back-end servers that support only HTTP/1.x. Thus, the front end effectively has to translate or downgrade the requests it receives into the less secure protocol. HTTP downgrading negates the benefits of HTTP/2. If HTTP downgrading cannot be avoided, validate the rewritten/downgraded request against the HTTP/1.1 specification. For example, reject requests that contain newlines in the headers, colons in header names, and spaces in the request method.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>