Microsoft AzureOverview
Periodically, newer HTTP versions are released, either due to security flaws or to include additional functionality. Apps should use the latest HTTP version to take advantage of any security fixes and/or new functionalities of the newer version.
Rationale
Newer versions may contain security enhancements and additional functionality. Using the latest version is recommended for enhancements and new capabilities. Organizations must determine if a given update meets their requirements with each software installation. They must also verify the compatibility and support of any additional software against the selected update revision.
HTTP 2.0 has additional performance improvements on the old HTTP version's head-of-line blocking problem, header compression, and request prioritization. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism, as it provides its own, more efficient, mechanisms for data streaming.
Impact
Most modern browsers support HTTP 2.0 protocol over TLS only, while non-encrypted traffic uses HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third-party certificate.
Remediation guidance
Remediate from Azure Portal
- Open the web app using the
Open in Azurebutton. - Under
Settingsection, Click onConfiguration - Set
HTTP versionto2.0underGeneral settings
NOTE: Most modern browsers support HTTP 2.0 protocol over TLS only, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third-party certificate.
Remediate from Azure CLI
To set HTTP 2.0 version for an existing app, run the following command:
az webapp config set --resource-group --name --http20-enabled true
Remediate from PowerShell
To enable HTTP 2.0 version support, run the following command:
Set-AzWebApp -ResourceGroupName -Name -Http20Enabled $true
Multiple Remediation Paths
Azure
SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.
PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.
References for Service-Wide Patterns
- Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
- Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
- Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
Azure App Service apps without HTTP 2.0
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { siteConfig: { http20Enabled: false } }) {
...AssetFragment
}
}
