10. Security Considerations

10.1 Server Authority

HTTP/2 relies on the HTTP/1.1 definition of authority for determining whether a server is authoritative for a given request.

10.2 Cross-Protocol Attacks

HTTP/2 uses TLS with ALPN to protect against cross-protocol attacks on cleartext ports.

10.3 Intermediary Encapsulation Attacks

HTTP/2 header field encoding allows the expression of names that are not valid field names in HTTP/1.1.

10.4 Cacheability of Pushed Responses

Pushed responses do not have an explicit request from the client. A client cannot verify that a pushed response is an appropriate representation for the request.

10.5 Denial-of-Service Considerations

10.5.1 Limits on Header Block Size

Large or unbounded requests can be used to overload servers. Header block size can be limited using SETTINGS_MAX_HEADER_LIST_SIZE.

10.5.2 CONNECT Issues

The CONNECT method can be used to create tunnels. Servers SHOULD monitor the amount of traffic and number of concurrent connections.

10.6 Use of Compression

Compression can expose information about encrypted data. Implementations must be careful when using compression.

10.7 Use of Padding

Padding can be used to obscure the actual size of frame content. However, padding is not a substitute for proper encryption.

10.8 Privacy Considerations

Several characteristics of HTTP/2 provide an observer an opportunity to correlate actions of a single client or server over time.

10.1 Server Authority​

10.2 Cross-Protocol Attacks​

10.3 Intermediary Encapsulation Attacks​

10.4 Cacheability of Pushed Responses​

10.5 Denial-of-Service Considerations​

10.5.1 Limits on Header Block Size​

10.5.2 CONNECT Issues​

10.6 Use of Compression​

10.7 Use of Padding​

10.8 Privacy Considerations​