|   Trend Micro Cloud One™
Open menu

Enable HTTP/2

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Risk level: Low (generally tolerable level of risk)
Rule ID: AppService-005

Ensure that your Microsoft Azure App Service web applications are using the latest version of the HTTP protocol (i.e. HTTP/2) in order to make your web applications load faster. HTTP 2.0 represents a major upgrade of the HTTP/1.1 protocol, that has the primary goal of reducing the impact of latency and connection load on web servers by implementing full request and response multiplexing, minimizing protocol overhead via compression of HTTP header fields, and by adding support for HTTP request prioritization and server push.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Performance
efficiency

Once enabled, HTTP/2 will make your Azure App Service web applications faster, simpler, and more robust, as this optimized version of the HTTP protocol no longer supports HTTP 1.1's chunked transfer encoding mechanism, and provides its own, more efficient mechanism for data streaming. The main benefits of HTTP/2: it is fully multiplexed (instead of ordered and blocking like HTTP 1.1), uses only one TCP/IP connection and has the ability to use this connection for parallelism, uses header compression to reduce overhead, and it's binary.

Note: Most modern web browsers support HTTP 2.0 protocol over TLS only, while non-encrypted traffic continues to use HTTP 1.1. To ensure that all your application clients are connecting to your web apps using HTTP/2, you can buy an Azure App Service certificate for your application's custom domain or bind a third-party certificate.

Audit

To determine if your Azure App Service applications are using the latest version of the HTTP protocol, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the App Service web application that you want to examine.

04 In the navigation menu, under Settings, select Configuration to access the configuration settings defined for the selected application.

05 On the Configuration panel, select General settings tab to access the application general settings.

06 In the Platform settings section, check the HTTP version setting value to determine the HTTP version configured for the selected web application. If HTTP version is set to 1.1, (i.e. HTTP 1.1), the selected Microsoft Azure App Service web application is not configured to use the latest version of HTTP protocol.

07 Repeat steps no. 3 – 6 for each Azure App Service web application created within the current subscription.

08 Repeat steps no. 3 – 7 for other subscriptions available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp list command (Windows/macOS/Linux) using custom query filters to list the IDs of all App Service web applications deployed in the current Azure subscription:

az webapp list --query '[*].id'

02 The command output should return the requested Azure App Service application IDs:

[
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-frontend-webapp",
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project5-webapp"
]

03 Run webapp config show command (Windows/macOS/Linux) using the ID of the application that you want to examine as identifier parameter and custom query filters to determine if the selected Azure App Service web application is configured to use the HTTP/2 protocol:

az webapp config show
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-frontend-webapp"
	--query 'http20Enabled'

04 The command output should return the HTTP/2 protocol configuration status for the specified application:

false

If the webapp config show command output returns false, as shown in the example above, HTTP/2 is not enabled, therefore the selected Microsoft Azure App Service web application is not configured to use the latest version of HTTP protocol.

05 Repeat steps no. 3 – 6 for each Azure App Service web application available within the current subscription.

06 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable the HTTP/2 protocol for your Microsoft Azure App Service web applications, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the web application that you want to reconfigure (see Audit section part I to identify the right application).

04 In the navigation menu, under Settings, select Configuration to access the configuration settings defined for the selected application.

05 On the Configuration panel, select General settings tab to access the web application general settings.

06 In the Platform settings section, select 2.0 from the HTTP version dropdown list to enable HTTP/2 – the latest version of HTTP protocol, for the selected web application.

07 Click Save to apply the change. Once this configuration change becomes active, the Azure Management Console should display the following confirmation message: "Successfully updated web app settings".

08 Repeat steps no. 3 – 7 for each Azure App Service web application deployed in the current subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp config set command (Windows/macOS/Linux) using the ID of the Azure App Service web application that you want to reconfigure as identifier parameter (see Audit section part I to identify the right application) to enable HTTP/2 – the latest version of HTTP protocol, for the selected web application.:

az webapp config set
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-frontend-webapp"
	--http20-enabled true

02 The command output should return the metadata available for the reconfigured web application:

{
  "alwaysOn": false,
  "apiDefinition": null,
  "appCommandLine": "",
  "appSettings": null,
  "autoHealEnabled": false,
  "autoHealRules": null,
  "autoSwapSlotName": null,
  "azureStorageAccounts": null,
  "connectionStrings": null,
  "detailedErrorLoggingEnabled": false,
  "documentRoot": null,
  "ftpsState": "AllAllowed",
  "handlerMappings": null,
  "http20Enabled": true,
 
  ...
 
  "httpLoggingEnabled": false,
  "publishingUsername": "$cc-frontend-webapp",
  "push": null,
  "pythonVersion": "",
  "remoteDebuggingEnabled": false,
  "remoteDebuggingVersion": "VS2017",
  "requestTracingEnabled": false,
  "requestTracingExpirationTime": null,
  "reservedInstanceCount": 0,
  "resourceGroup": "cloud-shell-storage-westeurope",
  "webSocketsEnabled": false,
  "windowsFxVersion": null,
  "xManagedServiceIdentityId": null
}

03 Repeat step no. 3 and 4 for each Azure App Service web application available within the current subscription.

04 Repeat steps no. 3 – 5 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Sep 30, 2019

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Enable HTTP/2

Risk level: Low