I don't see that using HTTP/2 is realistic.

(a) Are you saying that using HTTP/2 from the browser makes headers in your infrastructure secure?

(b) Some of our enterprise clients use security proxies (e.g. Cisco WSA) which do not support HTTP/2 and force connections from the browser to use HTTP1.1. Aside: Cisco WSA is super crappy: we have recorded a repeatable corruption that passed information between HTTPS sessions (It was a obsolete device so we didn't report it to Cisco or the client - but I would bet good money there are plentiful major security flaws with Cisco WSA).

(c) If you are suggesting using HTTP/2 between frontend and backend, that seems unrealistic to implement.

From other thread:

> If you have a front-end and a back-end, and they talk to eachother using HTTPS, that's exploitable

I couldn't understand how - surely packets would be completely broken (how can you append a valid packet to an HTTPS request, or get a valid HTTPS reply to an another connection?)

Perhaps a spiffy name, an icon, and a cool website would give this more visibility HAHA!

PS: I am surprised this isn't getting more attention on HN - it seems like a really fatal security issue that will affect heaps of sites - oh well.