HTTP/2 Security
What is HTTP/2 Security?
HTTP/2 SecurityThe security model of HTTP/2 (RFC 9113) over TLS 1.2+, plus the operational pitfalls of HPACK, multiplexing, CONTINUATION frames, and the 2023 Rapid Reset attack.
HTTP/2, specified in RFC 9113 (which obsoleted RFC 7540), multiplexes many concurrent requests over a single TLS connection, using HPACK (RFC 7541) for header compression and binary frames. In practice all browser HTTP/2 traffic runs over TLS 1.2 or 1.3 with mandatory cipher restrictions from RFC 9113 section 9.2. Implementations must mitigate well-known abuse cases: the HPACK Bomb (memory amplification), the CONTINUATION flood (CVE-2024-27316), HTTP request smuggling at the H2-to-H1 boundary, and the Rapid Reset attack (CVE-2023-44487, disclosed October 2023) where attackers issued and immediately cancelled streams to exhaust server CPU at record DDoS rates. Server hardening involves stream and frame quotas, RST_STREAM rate-limits, and updated server implementations.
● Examples
- 01
CVE-2023-44487 (Rapid Reset): attackers opening and RST_STREAM-cancelling HTTP/2 streams to peak DDoS at ~398 million requests per second.
- 02
CVE-2024-27316: nginx and others exhausting memory by accepting unbounded HEADERS+CONTINUATION sequences.
● Frequently asked questions
What is HTTP/2 Security?
The security model of HTTP/2 (RFC 9113) over TLS 1.2+, plus the operational pitfalls of HPACK, multiplexing, CONTINUATION frames, and the 2023 Rapid Reset attack. It belongs to the Network Security category of cybersecurity.
What does HTTP/2 Security mean?
The security model of HTTP/2 (RFC 9113) over TLS 1.2+, plus the operational pitfalls of HPACK, multiplexing, CONTINUATION frames, and the 2023 Rapid Reset attack.
How do you defend against HTTP/2 Security?
Defences for HTTP/2 Security typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for HTTP/2 Security?
Common alternative names include: RFC 9113, h2.