http2
Safeguard articles tagged "http2" — guides, analysis, and best practices for software supply chain and application security.
5 articles
HTTP/2 CONTINUATION Flood: Inside CVE-2024-27316 and the Frame-Based DoS Class
A single TCP connection with no END_HEADERS flag was enough to crash major HTTP/2 servers — worse than Rapid Reset, and it took the industry a decade to check for it.
Hardening HTTP/2 against protocol-level DoS attacks
HTTP/2 Rapid Reset hit Google with 398 million requests per second in 2023 — a single protocol quirk, not a bug in any one server, drove the largest DDoS ever disclosed.
The security cost of long-lived HTTP connections
Keep-alive and HTTP/2 multiplexing cut handshake overhead but hold server resources open per connection — Slowloris and 2023's Rapid Reset attacks both exploited exactly that tradeoff.
HTTP/2 Rapid Reset (CVE-2023-44487) Explained
A protocol-level flaw in HTTP/2 turned a normal feature into the largest DDoS attacks ever recorded. Here is how Rapid Reset works and which library versions fix it.
Eclipse Jetty Vulnerabilities: What to Patch and When
Jetty's HTTP/2 handling and older 9.4.x branches have carried real denial-of-service and information-disclosure CVEs — here's what a jetty 9.4.41 exploit actually looks like and which versions close it.