Azure App Service HTTP/2 Not Enabled
ID: azure-appservice-http2-not-enabled
Severity: low
Author: princechaddha
Tags: cloud,devops,azure,microsoft,appservice,azure-cloud-config
Description
Section titled “Description”Ensure that your Microsoft Azure App Service web applications are using the latest version of the HTTP protocol (i.e. HTTP/2) in order to make your web applications load faster. HTTP 2.0 represents a major upgrade of the HTTP/1.1 protocol, with the primary goals of reducing the impact of latency and connection load on web servers through full request and response multiplexing, minimizing protocol overhead via HTTP header field compression, and supporting HTTP request prioritization and server push.
YAML Source
Section titled “YAML Source”id: azure-appservice-http2-not-enabledinfo: name: Azure App Service HTTP/2 Not Enabled author: princechaddha severity: low description: | Ensure that your Microsoft Azure App Service web applications are using the latest version of the HTTP protocol (i.e. HTTP/2) in order to make your web applications load faster. HTTP 2.0 represents a major upgrade of the HTTP/1.1 protocol, with the primary goals of reducing the impact of latency and connection load on web servers through full request and response multiplexing, minimizing protocol overhead via HTTP header field compression, and supporting HTTP request prioritization and server push. impact: | Not using HTTP/2 can result in slower web applications due to increased latency and connection load. remediation: | Enable HTTP/2 on your Azure App Service web applications to improve their performance and adhere to modern web standards. reference: - https://docs.microsoft.com/en-us/azure/app-service/configure-language-http2 tags: cloud,devops,azure,microsoft,appservice,azure-cloud-config
flow: | code(1); for (let WebAppId of iterate(template.webAppIds)) { set("id", WebAppId); code(2); }
self-contained: truecode: - engine: - sh - bash source: | az webapp list --query '[*].id' --output json
extractors: - type: json name: webAppIds internal: true json: - '.[]'
- engine: - sh - bash source: | az webapp config show --ids $id --query 'http20Enabled' --output json
matchers: - type: word words: - "false"
extractors: - type: dsl dsl: - 'id + " does not have HTTP/2 enabled"'# digest: 4a0a00473045022100f7d0215f7672b4f0a16a3ad3d3dc1889a424e14d098ac25f20c83a7959080b9f02207240116d62fd78868d1eea9d0e9e0bad7d8bf438e0b58d30da830ae22d5d2a06:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/azure/appservice/azure-appservice-http2-not-enabled.yaml"