Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-444: Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’) |
| OWASP | A04:2021 - Insecure Design |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The Azure Function App resource is not configured to use HTTP/2 by setting ‘http2_enabled = true’. This means your app may be using an older HTTP version that lacks important security and performance improvements.
Impact#
Without HTTP/2 enabled, your function app is more susceptible to certain security issues like request smuggling and may miss out on protocol-level protections. Attackers could exploit these weaknesses to interfere with HTTP requests or degrade service reliability, potentially leading to unauthorized access or data leaks.