What are the security benefits or risks of HTTP/2?

RFC 7540 Section 10 is a security consideration section that documents a number of security considerations when implementing and/or using HTTP/2. Briefly:

10.1. Server Authority

10.2. Cross-Protocol Attacks

10.3. Intermediary Encapsulation Attacks

10.4. Cacheability of Pushed Responses

10.5. Denial-of-Service Considerations

10.5.1. Limits on Header Block Size

10.5.2. CONNECT Issues

10.6. Use of Compression

10.7. Use of Padding

10.8. Privacy Considerations

Most of the regular security considerations for HTTP/1 are also still valid, as HTTP/2 has the same application level semantic as HTTP/1.

From a cryptographic point of view, HTTP/2 requires to support at least TLS1.2 which means the communication channel will be encrypted using AEAD ciphers i.e. state-of-the-art crypto.

What are the security benefits or risks of HTTP/2?

Tags:

Http

Protocols

Http2

Internet

Risk

Related

Recent Posts