Now that HTTP/2 is here and widely adopted by client browsers, many of the performance challenges that existed with HTTP1.1 are finally addressed and solved. But what about security?
While HTTP/2 provides a higher level of privacy by mandating (de-facto because of browser implementation) traffic encryption, security solutions such as Web Application Firewalls (WAFs) are not keeping pace with the HTTP/2 evolution. No WAF today can provide protection against application level attacks launched overt the HTTP/2 protocol stack, potentially leaving HTTP/2 based web applications vulnerable.
Customers that use a WAF to protect their applications and want to benefit from the performance enhancements that come with HTTP/2, need to first find out if their WAF supports the new HTTP/2 protocol or not. Chances are that it doesn't...
Why is my WAF not working?
If the WAF you use does not support HTTP/2, many web application level attacks could pass under its radar undetected if HTTP/2 is used to communicate with the server.
Here's why:
In a typical environment, the application web servers will be upgraded to support HTTP/2. The WAF, which is sitting in front of the server, will see the client-server communication using the HTTP/2 protocol. Even if the WAF is able to see the decoded encrypted content, until the WAF is upgraded to support HTTP/2, it is unlikely that it will be able to detect most of the web application level attacks (even simple ones like a HTTP flood).
Does that mean that HTTP/2 is not for me? Not necessarily.
It is possible to support HTTP/2 and maintain a proper security model. This requires the deployment of a HTTP/2 gateway in front of the web application's server farm. This gateway is used to translate the client browsers' communication from HTTP/2 to HTTP 1.1 towards the server, and vice versa.
In this model, the WAF that sits in front of the web server farm will see all communication between the browser and server as the HTTP 1.1 protocol, since the HTTP/2 gateway in front of it will translate all communication from HTTP/2 to HTTP 1.1 and vice versa. Meaning that even if your WAF only supports HTTP 1.1, it will still continue to provide web application level protection, even if the attacks are launched over the new HTTP/2 protocol.
Your WAF and HTTP/2 Gateway Should Work Together
When the WAF and the HTTP/2 gateway are both part of the same ADC unit (which provides all the application delivery services for that web application including load balancing, security, and HTTP/2 gateway functionality), it is important to ensure these functions are properly implemented and operating in the ADC device.
It should first provide the HTTP/2 gateway functionality, translating the traffic to HTTP 1.1. Only then should the traffic run through the WAF module and at the end of the process, route the traffic to the appropriate web application server. This process enables a WAF to still provide its full protection – even for transactions carried over HTTP/2.
Supporting HTTP/2 provides many benefits including performance and privacy for the end users accessing the web application. However, there are many considerations that might prevent application owners from adopting HTTP/2 natively on their servers today. Adopting the new protocol with an HTTP/2 gateway returns most, if not all, of these benefits and can aid in solving many of the migration challenges.