The web server must only use forward proxies that route HTTP/2 requests upstream.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-264366	SRG-APP-000439-WSR-000196	SV-264366r984443_rule		Medium

Description

Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and read or altered. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. It is crucial that the web server and forward proxy agree about the boundaries between requests. Otherwise, an attacker may be able to send ambiguous and other smuggling attacks to the web server.

STIG	Date
Web Server Security Requirements Guide	2025-02-12

Details

Check Text (C-68279r984441_chk)

If a forward proxy is not used, this is not applicable.

Verify the web server only uses forward proxies that route HTTP/2 requests upstream.

If the web server uses forward proxies that do not only route HTTP/2 requests, this is a finding.

Fix Text (F-68187r984442_fix)

Configure the web server to only use forward proxies that route HTTP/2 requests upstream.