Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

HTTP2 support in SWG

  1. Last updated
  2. Save as PDF

Secure Web Gateway (SWG) supports HTTP/2 inspection for encrypted web traffic. HTTP/2 improves web performance and efficiency by allowing multiple requests and responses to share a single connection. SWG processes HTTP/2 traffic while continuing to enforce security policies, visibility, and SSL inspection controls.

  • HTTP/2 is enabled by default.
  • You must enable the SSL Scanner to inspect or control HTTP/2 traffic.
Configure HTTP/2 Behavior

SWG allows you to dynamically enable or disable HTTP/2 during the CONNECT phase by using the following policy event:

  • Event: Proxy Control > Use HTTP2

SWG evaluates this setting only during the CONNECT call. The CERTVERIFY phase does not support HTTP/2 control.

If a policy disables HTTP/2, SWG automatically falls back to HTTPS communication over HTTP/1.1. This fallback ensures continued connectivity for web traffic that cannot use HTTP/2.

TLS and Protocol Requirements

SWG processes encrypted HTTP/2 traffic only over TLS 1.2 or TLS 1.3 to align with modern browser standards and secure communication requirements.

A successful HTTP/2 connection depends on the TLS capabilities negotiated by the client.

Client Requirements

The client must support one of the following:

  • TLS 1.2 cipher suites that use:
    • GCM encryption
    • Perfect Forward Secrecy (PFS)
  • Any standard TLS 1.3 cipher suite

These requirements ensure compatibility with secure HTTP/2 communication standards.

Server Requirements

SWG does not enforce cipher restrictions on the destination server. The server determines the cipher suites and protocol settings that it supports.

Protocol Translation

SWG does not rewrite or translate protocols between client-side and server-side connections.

The protocol must remain consistent throughout the connection. SWG does not support:

  • HTTP/1.1 to HTTP/2 translation
  • HTTP/2 to HTTP/1.1 translation

This behavior preserves protocol integrity across the end-to-end session.

Concurrent Streams and QoS Behavior

HTTP/2 uses concurrent streams to multiplex multiple requests over a single TCP connection. This design improves connection efficiency and reduces latency.

Because multiple requests share the same connection:

  • SWG cannot apply QoS policies to individual requests.
  • SWG ignores Socket Mark operations configured at the per-request level.

You can apply QoS and Socket Mark settings only during the initial CONNECT cycle, where the configuration affects the entire connection globally.

Current Limitations

SWG does not currently support the following native HTTP/2 capabilities:

  • Server Push
  • Stream Priority
  • Stream Dependency
  • Web Cache

These limitations apply only to the listed HTTP/2 features. SWG continues to support standard HTTP/2 inspection and policy enforcement capabilities.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.