HTTP/2 or HTTP/3 enabled on server and CDN

ab-002016 · performance-core.script-style-efficiency.http2-enabled

Severity: lowactive

Why it matters

HTTP/1.1 limits browsers to 6 parallel TCP connections per origin. A page loading 30 assets — JS chunks, CSS, images, fonts — from a single origin serializes those requests into 5 batches, each waiting for the previous to finish (ISO-25010 time-behaviour). HTTP/2 multiplexes all requests over a single connection with no per-connection limit, eliminating the batching delay entirely. HTTP/3 adds QUIC transport, removing the head-of-line blocking that HTTP/2 still has at the TCP layer. Remaining on HTTP/1.1 in 2025 is a structural performance penalty.

Severity rationale

Low because HTTP/1.1 adds measurable latency on asset-heavy pages but most modern hosting platforms default to HTTP/2, so the finding typically reflects a misconfiguration rather than a missing feature.

Remediation

Verify your protocol and enable HTTP/2 or HTTP/3 where it is not already active. Check the response protocol:

curl -sI https://yoursite.com | head -5
# Expected: HTTP/2 or HTTP/3 in the first line

For common hosting platforms — no code change required, just verify settings:

Vercel: HTTP/2 and HTTP/3 enabled by default on all deployments.
Netlify: HTTP/2 enabled by default.
AWS CloudFront: Enable HTTP/2 in the distribution's Protocol Policy settings (CloudFront → Distribution → Edit → HTTP/2).
Cloudflare: HTTP/2 and HTTP/3 enabled by default in Speed → Optimization.

For custom Nginx servers, ensure listen 443 ssl http2; is in the server block. For Node.js servers without a reverse proxy, use the built-in http2 module or place Caddy or Nginx in front.

Detection

ID: http2-enabled
Severity: low
What to look for: Count all relevant instances and enumerate each. Check hosting platform documentation or headers. For Vercel, Netlify, AWS, look for HTTP/2 or HTTP/3 enabled by default. Inspect response headers: HTTP/2.0 or HTTP/3 in server response. Check CDN provider (Cloudflare, AWS CloudFront, etc.) for HTTP/2+ settings.
Pass criteria: Server responds over HTTP/2 or HTTP/3. At least 1 implementation must be verified. Connection multiplexing is enabled. CDN (if used) also supports HTTP/2+.
Fail criteria: Server responds over HTTP/1.1, forcing browsers to open multiple connections for parallel requests. Modern hosting platforms should default to HTTP/2.
Skip (N/A) when: The project is not deployed or uses an old hosting platform without HTTP/2 support.
Detail on fail: Specify the protocol. Example: "Server responds over HTTP/1.1; DevTools shows 6 TCP connections for parallel requests. Upgrade to HTTP/2 for connection multiplexing" or "CDN supports HTTP/2 but origin server is HTTP/1.1; requests to origin are slow".
Remediation: Modern hosting platforms include HTTP/2 by default. Verify in your platform settings:

Vercel: HTTP/2 enabled by default. Netlify: HTTP/2 enabled by default. AWS CloudFront: Enable HTTP/2 in distribution settings. Cloudflare: HTTP/2 and HTTP/3 enabled by default.

Check response headers:
```
curl -I https://yoursite.com
# Look for: HTTP/2.0 or HTTP/3
```

External references

iso-25010:2011 · performance-efficiency.time-behaviour — Time Behaviour

Taxons

performance operational-readiness

History

2026-04-18·v1.0.0·Initial import from performance-core·automated