HTTP/2 Security
What is HTTP/2 Security?
HTTP/2 SecurityThe security model of HTTP/2 (RFC 9113) over TLS 1.2+, plus the operational pitfalls of HPACK, multiplexing, CONTINUATION frames, and the 2023 Rapid Reset attack.
HTTP/2, specified in RFC 9113 (which obsoleted RFC 7540), multiplexes many concurrent requests over a single TLS connection, using HPACK (RFC 7541) for header compression and binary frames. In practice all browser HTTP/2 traffic runs over TLS 1.2 or 1.3 with mandatory cipher restrictions from RFC 9113 section 9.2. Implementations must mitigate well-known abuse cases: the HPACK Bomb (memory amplification), the CONTINUATION flood (CVE-2024-27316), HTTP request smuggling at the H2-to-H1 boundary, and the Rapid Reset attack (CVE-2023-44487, disclosed October 2023) where attackers issued and immediately cancelled streams to exhaust server CPU at record DDoS rates. Server hardening involves stream and frame quotas, RST_STREAM rate-limits, and updated server implementations.
● Examples
- 01
CVE-2023-44487 (Rapid Reset): attackers opening and RST_STREAM-cancelling HTTP/2 streams to peak DDoS at ~398 million requests per second.
- 02
CVE-2024-27316: nginx and others exhausting memory by accepting unbounded HEADERS+CONTINUATION sequences.
● Frequently asked questions
What is HTTP/2 Security?
The security model of HTTP/2 (RFC 9113) over TLS 1.2+, plus the operational pitfalls of HPACK, multiplexing, CONTINUATION frames, and the 2023 Rapid Reset attack. It belongs to the Network Security category of cybersecurity.
What does HTTP/2 Security mean?
The security model of HTTP/2 (RFC 9113) over TLS 1.2+, plus the operational pitfalls of HPACK, multiplexing, CONTINUATION frames, and the 2023 Rapid Reset attack.
How does HTTP/2 Security work?
HTTP/2, specified in RFC 9113 (which obsoleted RFC 7540), multiplexes many concurrent requests over a single TLS connection, using HPACK (RFC 7541) for header compression and binary frames. In practice all browser HTTP/2 traffic runs over TLS 1.2 or 1.3 with mandatory cipher restrictions from RFC 9113 section 9.2. Implementations must mitigate well-known abuse cases: the HPACK Bomb (memory amplification), the CONTINUATION flood (CVE-2024-27316), HTTP request smuggling at the H2-to-H1 boundary, and the Rapid Reset attack (CVE-2023-44487, disclosed October 2023) where attackers issued and immediately cancelled streams to exhaust server CPU at record DDoS rates. Server hardening involves stream and frame quotas, RST_STREAM rate-limits, and updated server implementations.
How do you defend against HTTP/2 Security?
Defences for HTTP/2 Security typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for HTTP/2 Security?
Common alternative names include: RFC 9113, h2.
● Related terms
- network-security№ 499
HTTP/3 / QUIC
HTTP/3 (RFC 9114) is the HTTP mapping over QUIC (RFC 9000), a UDP-based, encrypted transport that integrates TLS 1.3 and provides per-stream multiplexing without head-of-line blocking.
- vulnerabilities№ 494
HTTP Request Smuggling
An attack that exploits disagreements between a front-end proxy and a back-end server on how an HTTP request ends, so an attacker can sneak a hidden second request through.
- network-security№ 1227
Web Application Firewall (WAF)
A reverse-proxy filter that inspects HTTP/HTTPS traffic to block web attacks such as SQL injection, XSS, and bot abuse before they reach the application.