Skip to content

Commit

Permalink
Disable HTTP/2 by Default for Webhooks to Mitigate CVE Risks
Browse files Browse the repository at this point in the history 
- Ensure HTTP/2 is disabled when the enable-http2 flag is set to false (default).
- Disabling HTTP/2 mitigates vulnerabilities associated with:
  - HTTP/2 Stream Cancellation (GHSA-qppj-fm5r-hxr3)
  - HTTP/2 Rapid Reset (GHSA-4374-p667-p6c8)
- While CVE fixes exist, they remain insufficient; disabling HTTP/2 helps reduce risks.
  For details, see:
  - GHSA-qppj-fm5r-hxr3
  - GHSA-4374-p667-p6c8
  - golang/go#63417
  • Loading branch information
@camilamacedo86
camilamacedo86 committed Dec 13, 2024
1 parent ae62f7f commit bcd5996
Showing 1 changed file with 1 addition and 3 deletions.
4 changes: 1 addition & 3 deletions cmd/manager/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -193,9 +193,7 @@ func main() {
webhookServer := crwebhook.NewServer(crwebhook.Options{
Port: webhookPort,
TLSOpts: []func(*tls.Config){
func(cfg *tls.Config) {
cfg.GetCertificate = cw.GetCertificate
},
tlsOpts,
},
})

Expand Down

0 comments on commit bcd5996

Please sign in to comment.