The web server must only use forward proxies that route HTTP/2 requests upstream.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-264366	SRG-APP-000439	SRG-APP-000439-WSR-000196	SV-264366r984443_rule	2025-02-12	4

Description
Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and read or altered. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. It is crucial that the web server and forward proxy agree about the boundaries between requests. Otherwise, an attacker may be able to send ambiguous and other smuggling attacks to the web server.

Description

Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and read or altered. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. It is crucial that the web server and forward proxy agree about the boundaries between requests. Otherwise, an attacker may be able to send ambiguous and other smuggling attacks to the web server.

ℹ️ Check
If a forward proxy is not used, this is not applicable. Verify the web server only uses forward proxies that route HTTP/2 requests upstream. If the web server uses forward proxies that do not only route HTTP/2 requests, this is a finding.

✔️ Fix
Configure the web server to only use forward proxies that route HTTP/2 requests upstream.