4514-nginx-openhttp2 - Recommendation to Enable HTTP/2.0 (Suggestions That Do Not Affect Security)
Rule ID
Category
Level
Compatible Versions
Description
- Session resumption for HTTPS sessions should be disabled to achieve Perfect forward secrecy (PFS).
Scan Frequency
Theoretical Basis
- HTTP/2.0, through full multiplexing, not only introduces performance benefits but also provides some security advantages. HTTP/2.0 improves the requirements and blacklist of cipher suites. It also disables session renegotiation and TLS compression. This helps prevent vulnerabilities like CRIME and ensures stronger encryption capabilities.
Risk Items
Audit Method
- Execute the following command to verify:
grep -ir http2 /etc/nginx
# Output should include the following content
listen 443 ssl http2;
- Edit the file /etc/nginx/nginx.conf or any other files involving HTTPS configuration. Example:
server {
listen 443 ssl http2;
}
Impact
Default Value
- By default, the highest enabled protocol is HTTP/1.1
References
CIS Controls