Does HestiaCP provides up to date web servers versions to handle http/2 bomb attack?
Take a look to this post: