diff --git a/apis/projectcontour/v1alpha1/contourconfig.go b/apis/projectcontour/v1alpha1/contourconfig.go
index 8070cb99c94..d231d19bbaa 100644
--- a/apis/projectcontour/v1alpha1/contourconfig.go
+++ b/apis/projectcontour/v1alpha1/contourconfig.go
@@ -400,7 +400,18 @@ type EnvoyListenerConfig struct {
 	//
 	// +kubebuilder:validation:Minimum=1
 	// +optional
-	MaxRequestsPerIOCycle *uint32 `json:"maxRequestsPerIOCycle"`
+	MaxRequestsPerIOCycle *uint32 `json:"maxRequestsPerIOCycle,omitempty"`
+
+	// Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the
+	// SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed
+	// for a peer on a single HTTP/2 connection. It is recommended to not set this lower
+	// than 100 but this field can be used to bound resource usage by HTTP/2 connections
+	// and mitigate attacks like CVE-2023-44487. The default value when this is not set is
+	// unlimited.
+	//
+	// +kubebuilder:validation:Minimum=1
+	// +optional
+	HTTP2MaxConcurrentStreams *uint32 `json:"httpMaxConcurrentStreams,omitempty"`
 }
 
 // SocketOptions defines configurable socket options for Envoy listeners.
diff --git a/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go b/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go
index c8a9d6776fe..ff4f84765b9 100644
--- a/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go
@@ -587,6 +587,11 @@ func (in *EnvoyListenerConfig) DeepCopyInto(out *EnvoyListenerConfig) {
 		*out = new(uint32)
 		**out = **in
 	}
+	if in.HTTP2MaxConcurrentStreams != nil {
+		in, out := &in.HTTP2MaxConcurrentStreams, &out.HTTP2MaxConcurrentStreams
+		*out = new(uint32)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnvoyListenerConfig.
diff --git a/changelogs/unreleased/5850-sunjayBhatia-minor.md b/changelogs/unreleased/5850-sunjayBhatia-minor.md
new file mode 100644
index 00000000000..32e38a6c494
--- /dev/null
+++ b/changelogs/unreleased/5850-sunjayBhatia-minor.md
@@ -0,0 +1,11 @@
+## HTTP/2 max concurrent streams is configurable
+
+This field can be used to limit the number of concurrent streams Envoy will allow on a single connection from a downstream peer.
+It can be used to tune resource usage and as a mitigation for DOS attacks arising from vulnerabilities like CVE-2023-44487.
+
+The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:
+
+```
+listener:
+  http2-max-concurrent-streams: 50
+```
diff --git a/cmd/contour/serve.go b/cmd/contour/serve.go
index 6a6e4461fc7..85490f7caa4 100644
--- a/cmd/contour/serve.go
+++ b/cmd/contour/serve.go
@@ -437,6 +437,7 @@ func (s *Server) doServe() error {
 		XffNumTrustedHops:             *contourConfiguration.Envoy.Network.XffNumTrustedHops,
 		ConnectionBalancer:            contourConfiguration.Envoy.Listener.ConnectionBalancer,
 		MaxRequestsPerConnection:      contourConfiguration.Envoy.Listener.MaxRequestsPerConnection,
+		HTTP2MaxConcurrentStreams:     contourConfiguration.Envoy.Listener.HTTP2MaxConcurrentStreams,
 		PerConnectionBufferLimitBytes: contourConfiguration.Envoy.Listener.PerConnectionBufferLimitBytes,
 		SocketOptions:                 contourConfiguration.Envoy.Listener.SocketOptions,
 	}
diff --git a/cmd/contour/servecontext.go b/cmd/contour/servecontext.go
index 25c1e8ffc5d..7d3f72312ad 100644
--- a/cmd/contour/servecontext.go
+++ b/cmd/contour/servecontext.go
@@ -529,6 +529,7 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_api_v1alpha
 				PerConnectionBufferLimitBytes: ctx.Config.Listener.PerConnectionBufferLimitBytes,
 				MaxRequestsPerConnection:      ctx.Config.Listener.MaxRequestsPerConnection,
 				MaxRequestsPerIOCycle:         ctx.Config.Listener.MaxRequestsPerIOCycle,
+				HTTP2MaxConcurrentStreams:     ctx.Config.Listener.HTTP2MaxConcurrentStreams,
 				TLS: &contour_api_v1alpha1.EnvoyTLS{
 					MinimumProtocolVersion: ctx.Config.TLS.MinimumProtocolVersion,
 					MaximumProtocolVersion: ctx.Config.TLS.MaximumProtocolVersion,
diff --git a/cmd/contour/servecontext_test.go b/cmd/contour/servecontext_test.go
index 183e7c2dd85..dd8d3bf681c 100644
--- a/cmd/contour/servecontext_test.go
+++ b/cmd/contour/servecontext_test.go
@@ -877,10 +877,12 @@ func TestConvertServeContext(t *testing.T) {
 		"envoy listener settings": {
 			getServeContext: func(ctx *serveContext) *serveContext {
 				ctx.Config.Listener.MaxRequestsPerIOCycle = ref.To(uint32(10))
+				ctx.Config.Listener.HTTP2MaxConcurrentStreams = ref.To(uint32(30))
 				return ctx
 			},
 			getContourConfiguration: func(cfg contour_api_v1alpha1.ContourConfigurationSpec) contour_api_v1alpha1.ContourConfigurationSpec {
 				cfg.Envoy.Listener.MaxRequestsPerIOCycle = ref.To(uint32(10))
+				cfg.Envoy.Listener.HTTP2MaxConcurrentStreams = ref.To(uint32(30))
 				return cfg
 			},
 		},
diff --git a/examples/contour/01-crds.yaml b/examples/contour/01-crds.yaml
index 7fb064b7c5a..940a1b288bf 100644
--- a/examples/contour/01-crds.yaml
+++ b/examples/contour/01-crds.yaml
@@ -196,6 +196,18 @@ spec:
                           slashes from request URL paths. \n Contour's default is
                           false."
                         type: boolean
+                      httpMaxConcurrentStreams:
+                        description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                          Envoy will advertise in the SETTINGS frame in HTTP/2 connections
+                          and the limit for concurrent streams allowed for a peer
+                          on a single HTTP/2 connection. It is recommended to not
+                          set this lower than 100 but this field can be used to bound
+                          resource usage by HTTP/2 connections and mitigate attacks
+                          like CVE-2023-44487. The default value when this is not
+                          set is unlimited.
+                        format: int32
+                        minimum: 1
+                        type: integer
                       maxRequestsPerConnection:
                         description: Defines the maximum requests for downstream connections.
                           If not specified, there is no limit. see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
@@ -3646,6 +3658,18 @@ spec:
                               duplicate slashes from request URL paths. \n Contour's
                               default is false."
                             type: boolean
+                          httpMaxConcurrentStreams:
+                            description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                              Envoy will advertise in the SETTINGS frame in HTTP/2
+                              connections and the limit for concurrent streams allowed
+                              for a peer on a single HTTP/2 connection. It is recommended
+                              to not set this lower than 100 but this field can be
+                              used to bound resource usage by HTTP/2 connections and
+                              mitigate attacks like CVE-2023-44487. The default value
+                              when this is not set is unlimited.
+                            format: int32
+                            minimum: 1
+                            type: integer
                           maxRequestsPerConnection:
                             description: Defines the maximum requests for downstream
                               connections. If not specified, there is no limit. see
diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml
index 74d0938f238..31522145d17 100644
--- a/examples/render/contour-deployment.yaml
+++ b/examples/render/contour-deployment.yaml
@@ -415,6 +415,18 @@ spec:
                           slashes from request URL paths. \n Contour's default is
                           false."
                         type: boolean
+                      httpMaxConcurrentStreams:
+                        description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                          Envoy will advertise in the SETTINGS frame in HTTP/2 connections
+                          and the limit for concurrent streams allowed for a peer
+                          on a single HTTP/2 connection. It is recommended to not
+                          set this lower than 100 but this field can be used to bound
+                          resource usage by HTTP/2 connections and mitigate attacks
+                          like CVE-2023-44487. The default value when this is not
+                          set is unlimited.
+                        format: int32
+                        minimum: 1
+                        type: integer
                       maxRequestsPerConnection:
                         description: Defines the maximum requests for downstream connections.
                           If not specified, there is no limit. see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
@@ -3865,6 +3877,18 @@ spec:
                               duplicate slashes from request URL paths. \n Contour's
                               default is false."
                             type: boolean
+                          httpMaxConcurrentStreams:
+                            description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                              Envoy will advertise in the SETTINGS frame in HTTP/2
+                              connections and the limit for concurrent streams allowed
+                              for a peer on a single HTTP/2 connection. It is recommended
+                              to not set this lower than 100 but this field can be
+                              used to bound resource usage by HTTP/2 connections and
+                              mitigate attacks like CVE-2023-44487. The default value
+                              when this is not set is unlimited.
+                            format: int32
+                            minimum: 1
+                            type: integer
                           maxRequestsPerConnection:
                             description: Defines the maximum requests for downstream
                               connections. If not specified, there is no limit. see
diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml
index 0a100be8a90..7bc48cb9ae8 100644
--- a/examples/render/contour-gateway-provisioner.yaml
+++ b/examples/render/contour-gateway-provisioner.yaml
@@ -207,6 +207,18 @@ spec:
                           slashes from request URL paths. \n Contour's default is
                           false."
                         type: boolean
+                      httpMaxConcurrentStreams:
+                        description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                          Envoy will advertise in the SETTINGS frame in HTTP/2 connections
+                          and the limit for concurrent streams allowed for a peer
+                          on a single HTTP/2 connection. It is recommended to not
+                          set this lower than 100 but this field can be used to bound
+                          resource usage by HTTP/2 connections and mitigate attacks
+                          like CVE-2023-44487. The default value when this is not
+                          set is unlimited.
+                        format: int32
+                        minimum: 1
+                        type: integer
                       maxRequestsPerConnection:
                         description: Defines the maximum requests for downstream connections.
                           If not specified, there is no limit. see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
@@ -3657,6 +3669,18 @@ spec:
                               duplicate slashes from request URL paths. \n Contour's
                               default is false."
                             type: boolean
+                          httpMaxConcurrentStreams:
+                            description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                              Envoy will advertise in the SETTINGS frame in HTTP/2
+                              connections and the limit for concurrent streams allowed
+                              for a peer on a single HTTP/2 connection. It is recommended
+                              to not set this lower than 100 but this field can be
+                              used to bound resource usage by HTTP/2 connections and
+                              mitigate attacks like CVE-2023-44487. The default value
+                              when this is not set is unlimited.
+                            format: int32
+                            minimum: 1
+                            type: integer
                           maxRequestsPerConnection:
                             description: Defines the maximum requests for downstream
                               connections. If not specified, there is no limit. see
diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml
index 3c2f4b1a9f5..1e4a6f05744 100644
--- a/examples/render/contour-gateway.yaml
+++ b/examples/render/contour-gateway.yaml
@@ -418,6 +418,18 @@ spec:
                           slashes from request URL paths. \n Contour's default is
                           false."
                         type: boolean
+                      httpMaxConcurrentStreams:
+                        description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                          Envoy will advertise in the SETTINGS frame in HTTP/2 connections
+                          and the limit for concurrent streams allowed for a peer
+                          on a single HTTP/2 connection. It is recommended to not
+                          set this lower than 100 but this field can be used to bound
+                          resource usage by HTTP/2 connections and mitigate attacks
+                          like CVE-2023-44487. The default value when this is not
+                          set is unlimited.
+                        format: int32
+                        minimum: 1
+                        type: integer
                       maxRequestsPerConnection:
                         description: Defines the maximum requests for downstream connections.
                           If not specified, there is no limit. see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
@@ -3868,6 +3880,18 @@ spec:
                               duplicate slashes from request URL paths. \n Contour's
                               default is false."
                             type: boolean
+                          httpMaxConcurrentStreams:
+                            description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                              Envoy will advertise in the SETTINGS frame in HTTP/2
+                              connections and the limit for concurrent streams allowed
+                              for a peer on a single HTTP/2 connection. It is recommended
+                              to not set this lower than 100 but this field can be
+                              used to bound resource usage by HTTP/2 connections and
+                              mitigate attacks like CVE-2023-44487. The default value
+                              when this is not set is unlimited.
+                            format: int32
+                            minimum: 1
+                            type: integer
                           maxRequestsPerConnection:
                             description: Defines the maximum requests for downstream
                               connections. If not specified, there is no limit. see
diff --git a/examples/render/contour.yaml b/examples/render/contour.yaml
index 7b7ffa08de3..326f23552c0 100644
--- a/examples/render/contour.yaml
+++ b/examples/render/contour.yaml
@@ -415,6 +415,18 @@ spec:
                           slashes from request URL paths. \n Contour's default is
                           false."
                         type: boolean
+                      httpMaxConcurrentStreams:
+                        description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                          Envoy will advertise in the SETTINGS frame in HTTP/2 connections
+                          and the limit for concurrent streams allowed for a peer
+                          on a single HTTP/2 connection. It is recommended to not
+                          set this lower than 100 but this field can be used to bound
+                          resource usage by HTTP/2 connections and mitigate attacks
+                          like CVE-2023-44487. The default value when this is not
+                          set is unlimited.
+                        format: int32
+                        minimum: 1
+                        type: integer
                       maxRequestsPerConnection:
                         description: Defines the maximum requests for downstream connections.
                           If not specified, there is no limit. see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
@@ -3865,6 +3877,18 @@ spec:
                               duplicate slashes from request URL paths. \n Contour's
                               default is false."
                             type: boolean
+                          httpMaxConcurrentStreams:
+                            description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                              Envoy will advertise in the SETTINGS frame in HTTP/2
+                              connections and the limit for concurrent streams allowed
+                              for a peer on a single HTTP/2 connection. It is recommended
+                              to not set this lower than 100 but this field can be
+                              used to bound resource usage by HTTP/2 connections and
+                              mitigate attacks like CVE-2023-44487. The default value
+                              when this is not set is unlimited.
+                            format: int32
+                            minimum: 1
+                            type: integer
                           maxRequestsPerConnection:
                             description: Defines the maximum requests for downstream
                               connections. If not specified, there is no limit. see
diff --git a/internal/contourconfig/contourconfiguration_test.go b/internal/contourconfig/contourconfiguration_test.go
index 0d455d6e8d4..4106ea9a1d7 100644
--- a/internal/contourconfig/contourconfiguration_test.go
+++ b/internal/contourconfig/contourconfiguration_test.go
@@ -57,6 +57,7 @@ func TestOverlayOnDefaults(t *testing.T) {
 				DisableAllowChunkedLength:  ref.To(true),
 				DisableMergeSlashes:        ref.To(true),
 				MaxRequestsPerConnection:   ref.To(uint32(1)),
+				HTTP2MaxConcurrentStreams:  ref.To(uint32(10)),
 				ServerHeaderTransformation: contour_api_v1alpha1.PassThroughServerHeader,
 				ConnectionBalancer:         "yesplease",
 				TLS: &contour_api_v1alpha1.EnvoyTLS{
diff --git a/internal/envoy/v3/listener.go b/internal/envoy/v3/listener.go
index 6948cba9a41..5ac6e971598 100644
--- a/internal/envoy/v3/listener.go
+++ b/internal/envoy/v3/listener.go
@@ -172,6 +172,7 @@ type httpConnectionManagerBuilder struct {
 	numTrustedHops                uint32
 	tracingConfig                 *http.HttpConnectionManager_Tracing
 	maxRequestsPerConnection      *uint32
+	http2MaxConcurrentStreams     *uint32
 	enableWebsockets              bool
 }
 
@@ -284,6 +285,11 @@ func (b *httpConnectionManagerBuilder) MaxRequestsPerConnection(maxRequestsPerCo
 	return b
 }
 
+func (b *httpConnectionManagerBuilder) HTTP2MaxConcurrentStreams(http2MaxConcurrentStreams *uint32) *httpConnectionManagerBuilder {
+	b.http2MaxConcurrentStreams = http2MaxConcurrentStreams
+	return b
+}
+
 func (b *httpConnectionManagerBuilder) DefaultFilters() *httpConnectionManagerBuilder {
 
 	// Add a default set of ordered http filters.
@@ -538,6 +544,12 @@ func (b *httpConnectionManagerBuilder) Get() *envoy_listener_v3.Filter {
 		cm.CommonHttpProtocolOptions.MaxRequestsPerConnection = wrapperspb.UInt32(*b.maxRequestsPerConnection)
 	}
 
+	if b.http2MaxConcurrentStreams != nil {
+		cm.Http2ProtocolOptions = &envoy_core_v3.Http2ProtocolOptions{
+			MaxConcurrentStreams: wrapperspb.UInt32(*b.http2MaxConcurrentStreams),
+		}
+	}
+
 	if b.enableWebsockets {
 		cm.UpgradeConfigs = append(cm.UpgradeConfigs,
 			&http.HttpConnectionManager_UpgradeConfig{
diff --git a/internal/envoy/v3/listener_test.go b/internal/envoy/v3/listener_test.go
index 4a9d8046e56..12bccde3262 100644
--- a/internal/envoy/v3/listener_test.go
+++ b/internal/envoy/v3/listener_test.go
@@ -652,6 +652,7 @@ func TestHTTPConnectionManager(t *testing.T) {
 		forwardClientCertificate      *dag.ClientCertificateDetails
 		xffNumTrustedHops             uint32
 		maxRequestsPerConnection      *uint32
+		http2MaxConcurrentStreams     *uint32
 		want                          *envoy_listener_v3.Filter
 	}{
 		"default": {
@@ -1396,6 +1397,56 @@ func TestHTTPConnectionManager(t *testing.T) {
 				},
 			},
 		},
+		"http2MaxConcurrentStreams set": {
+			routename:                 "default/kuard",
+			accesslogger:              FileAccessLogEnvoy("/dev/stdout", "", nil, v1alpha1.LogLevelInfo),
+			http2MaxConcurrentStreams: ref.To(uint32(50)),
+			want: &envoy_listener_v3.Filter{
+				Name: wellknown.HTTPConnectionManager,
+				ConfigType: &envoy_listener_v3.Filter_TypedConfig{
+					TypedConfig: protobuf.MustMarshalAny(&http.HttpConnectionManager{
+						StatPrefix: "default/kuard",
+						RouteSpecifier: &http.HttpConnectionManager_Rds{
+							Rds: &http.Rds{
+								RouteConfigName: "default/kuard",
+								ConfigSource: &envoy_core_v3.ConfigSource{
+									ResourceApiVersion: envoy_core_v3.ApiVersion_V3,
+									ConfigSourceSpecifier: &envoy_core_v3.ConfigSource_ApiConfigSource{
+										ApiConfigSource: &envoy_core_v3.ApiConfigSource{
+											ApiType:             envoy_core_v3.ApiConfigSource_GRPC,
+											TransportApiVersion: envoy_core_v3.ApiVersion_V3,
+											GrpcServices: []*envoy_core_v3.GrpcService{{
+												TargetSpecifier: &envoy_core_v3.GrpcService_EnvoyGrpc_{
+													EnvoyGrpc: &envoy_core_v3.GrpcService_EnvoyGrpc{
+														ClusterName: "contour",
+														Authority:   "contour",
+													},
+												},
+											}},
+										},
+									},
+								},
+							},
+						},
+						HttpFilters: defaultHTTPFilters,
+						HttpProtocolOptions: &envoy_core_v3.Http1ProtocolOptions{
+							// Enable support for HTTP/1.0 requests that carry
+							// a Host: header. See #537.
+							AcceptHttp_10: true,
+						},
+						CommonHttpProtocolOptions: &envoy_core_v3.HttpProtocolOptions{},
+						Http2ProtocolOptions: &envoy_core_v3.Http2ProtocolOptions{
+							MaxConcurrentStreams: wrapperspb.UInt32(50),
+						},
+						AccessLog:                 FileAccessLogEnvoy("/dev/stdout", "", nil, v1alpha1.LogLevelInfo),
+						UseRemoteAddress:          wrapperspb.Bool(true),
+						NormalizePath:             wrapperspb.Bool(true),
+						PreserveExternalRequestId: true,
+						MergeSlashes:              false,
+					}),
+				},
+			},
+		},
 	}
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
@@ -1415,6 +1466,7 @@ func TestHTTPConnectionManager(t *testing.T) {
 				NumTrustedHops(tc.xffNumTrustedHops).
 				ForwardClientCertificate(tc.forwardClientCertificate).
 				MaxRequestsPerConnection(tc.maxRequestsPerConnection).
+				HTTP2MaxConcurrentStreams(tc.http2MaxConcurrentStreams).
 				DefaultFilters().
 				Get()
 
diff --git a/internal/xdscache/v3/listener.go b/internal/xdscache/v3/listener.go
index c9cf6d04aaf..01e99745689 100644
--- a/internal/xdscache/v3/listener.go
+++ b/internal/xdscache/v3/listener.go
@@ -129,6 +129,8 @@ type ListenerConfig struct {
 	// if not specified there is no limit set.
 	MaxRequestsPerConnection *uint32
 
+	HTTP2MaxConcurrentStreams *uint32
+
 	// PerConnectionBufferLimitBytes defines the soft limit on size of the listener’s new connection read and write buffers
 	// If unspecified, an implementation defined default is applied (1MiB).
 	PerConnectionBufferLimitBytes *uint32
@@ -420,6 +422,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) {
 				ServerHeaderTransformation(cfg.ServerHeaderTransformation).
 				NumTrustedHops(cfg.XffNumTrustedHops).
 				MaxRequestsPerConnection(cfg.MaxRequestsPerConnection).
+				HTTP2MaxConcurrentStreams(cfg.HTTP2MaxConcurrentStreams).
 				AddFilter(httpGlobalExternalAuthConfig(cfg.GlobalExternalAuthConfig)).
 				Tracing(envoy_v3.TracingConfig(envoyTracingConfig(cfg.TracingConfig))).
 				AddFilter(envoy_v3.GlobalRateLimitFilter(envoyGlobalRateLimitConfig(cfg.RateLimitConfig))).
@@ -497,6 +500,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) {
 					AddFilter(envoy_v3.GlobalRateLimitFilter(envoyGlobalRateLimitConfig(cfg.RateLimitConfig))).
 					ForwardClientCertificate(forwardClientCertificate).
 					MaxRequestsPerConnection(cfg.MaxRequestsPerConnection).
+					HTTP2MaxConcurrentStreams(cfg.HTTP2MaxConcurrentStreams).
 					EnableWebsockets(listener.EnableWebsockets).
 					Get()
 
@@ -571,6 +575,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) {
 					AddFilter(envoy_v3.GlobalRateLimitFilter(envoyGlobalRateLimitConfig(cfg.RateLimitConfig))).
 					ForwardClientCertificate(forwardClientCertificate).
 					MaxRequestsPerConnection(cfg.MaxRequestsPerConnection).
+					HTTP2MaxConcurrentStreams(cfg.HTTP2MaxConcurrentStreams).
 					EnableWebsockets(listener.EnableWebsockets).
 					Get()
 
diff --git a/internal/xdscache/v3/listener_test.go b/internal/xdscache/v3/listener_test.go
index 186215e39c7..0c64fc3030f 100644
--- a/internal/xdscache/v3/listener_test.go
+++ b/internal/xdscache/v3/listener_test.go
@@ -3684,6 +3684,142 @@ func TestListenerVisit(t *testing.T) {
 				SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
 			}),
 		},
+		"httpproxy with HTTP2MaxConcurrentStreams set in listener config": {
+			ListenerConfig: ListenerConfig{
+				HTTP2MaxConcurrentStreams: ref.To(uint32(100)),
+			},
+			objs: []any{
+				&contour_api_v1.HTTPProxy{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "simple",
+						Namespace: "default",
+					},
+					Spec: contour_api_v1.HTTPProxySpec{
+						VirtualHost: &contour_api_v1.VirtualHost{
+							Fqdn: "www.example.com",
+						},
+						Routes: []contour_api_v1.Route{{
+							Conditions: []contour_api_v1.MatchCondition{{
+								Prefix: "/",
+							}},
+							Services: []contour_api_v1.Service{{
+								Name: "backend",
+								Port: 80,
+							}},
+						}},
+					},
+				},
+				&v1.Service{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "backend",
+						Namespace: "default",
+					},
+					Spec: v1.ServiceSpec{
+						Ports: []v1.ServicePort{{
+							Name:     "http",
+							Protocol: "TCP",
+							Port:     80,
+						}},
+					},
+				},
+			},
+			want: listenermap(&envoy_listener_v3.Listener{
+				Name:    ENVOY_HTTP_LISTENER,
+				Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
+				FilterChains: envoy_v3.FilterChains(
+					envoy_v3.HTTPConnectionManagerBuilder().
+						RouteConfigName(ENVOY_HTTP_LISTENER).
+						MetricsPrefix(ENVOY_HTTP_LISTENER).
+						AccessLoggers(envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo)).
+						DefaultFilters().
+						HTTP2MaxConcurrentStreams(ref.To(uint32(100))).
+						Get(),
+				),
+				SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
+			}),
+		},
+		"httpsproxy with HTTP2MaxConcurrentStreams set in listener config": {
+			ListenerConfig: ListenerConfig{
+				HTTP2MaxConcurrentStreams: ref.To(uint32(101)),
+			},
+			objs: []any{
+				&contour_api_v1.HTTPProxy{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "simple",
+						Namespace: "default",
+					},
+					Spec: contour_api_v1.HTTPProxySpec{
+						VirtualHost: &contour_api_v1.VirtualHost{
+							Fqdn: "www.example.com",
+							TLS: &contour_api_v1.TLS{
+								SecretName: "secret",
+							},
+						},
+						Routes: []contour_api_v1.Route{{
+							Services: []contour_api_v1.Service{{
+								Name: "backend",
+								Port: 80,
+							}},
+						}},
+					},
+				},
+				&v1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "secret",
+						Namespace: "default",
+					},
+					Type: "kubernetes.io/tls",
+					Data: secretdata(CERTIFICATE, RSA_PRIVATE_KEY),
+				},
+				&v1.Service{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "backend",
+						Namespace: "default",
+					},
+					Spec: v1.ServiceSpec{
+						Ports: []v1.ServicePort{{
+							Name:     "http",
+							Protocol: "TCP",
+							Port:     80,
+						}},
+					},
+				},
+			},
+			want: listenermap(&envoy_listener_v3.Listener{
+				Name:    ENVOY_HTTP_LISTENER,
+				Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
+				FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManagerBuilder().
+					RouteConfigName(ENVOY_HTTP_LISTENER).
+					MetricsPrefix(ENVOY_HTTP_LISTENER).
+					AccessLoggers(envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo)).
+					DefaultFilters().
+					HTTP2MaxConcurrentStreams(ref.To(uint32(101))).
+					Get(),
+				),
+				SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
+			}, &envoy_listener_v3.Listener{
+				Name:    ENVOY_HTTPS_LISTENER,
+				Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
+				FilterChains: []*envoy_listener_v3.FilterChain{{
+					FilterChainMatch: &envoy_listener_v3.FilterChainMatch{
+						ServerNames: []string{"www.example.com"},
+					},
+					TransportSocket: transportSocket("secret", envoy_tls_v3.TlsParameters_TLSv1_2, envoy_tls_v3.TlsParameters_TLSv1_3, nil, "h2", "http/1.1"),
+					Filters: envoy_v3.Filters(envoy_v3.HTTPConnectionManagerBuilder().
+						AddFilter(envoy_v3.FilterMisdirectedRequests("www.example.com")).
+						DefaultFilters().
+						MetricsPrefix(ENVOY_HTTPS_LISTENER).
+						RouteConfigName(path.Join("https", "www.example.com")).
+						AccessLoggers(envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo)).
+						HTTP2MaxConcurrentStreams(ref.To(uint32(101))).
+						Get()),
+				}},
+				ListenerFilters: envoy_v3.ListenerFilters(
+					envoy_v3.TLSInspector(),
+				),
+				SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
+			}),
+		},
 		"httpproxy with PerConnectionBufferLimitBytes set in listener config": {
 			ListenerConfig: ListenerConfig{
 				PerConnectionBufferLimitBytes: ref.To(uint32(32768)),
diff --git a/pkg/config/parameters.go b/pkg/config/parameters.go
index 413bae97a11..9046c6485b9 100644
--- a/pkg/config/parameters.go
+++ b/pkg/config/parameters.go
@@ -490,7 +490,15 @@ type ListenerParameters struct {
 	// I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is
 	// detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default
 	// value when this is not set is no limit.
-	MaxRequestsPerIOCycle *uint32 `yaml:"max-requests-per-io-cycle"`
+	MaxRequestsPerIOCycle *uint32 `yaml:"max-requests-per-io-cycle,omitempty"`
+
+	// Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the
+	// SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed
+	// for a peer on a single HTTP/2 connection. It is recommended to not set this lower
+	// than 100 but this field can be used to bound resource usage by HTTP/2 connections
+	// and mitigate attacks like CVE-2023-44487. The default value when this is not set is
+	// unlimited.
+	HTTP2MaxConcurrentStreams *uint32 `yaml:"http2-max-concurrent-streams,omitempty"`
 }
 
 func (p *ListenerParameters) Validate() error {
@@ -514,6 +522,10 @@ func (p *ListenerParameters) Validate() error {
 		return fmt.Errorf("invalid max connections per IO cycle value %q set on listener, minimum value is 1", *p.MaxRequestsPerIOCycle)
 	}
 
+	if p.HTTP2MaxConcurrentStreams != nil && *p.HTTP2MaxConcurrentStreams < 1 {
+		return fmt.Errorf("invalid max HTTP/2 concurrent streams value %q set on listener, minimum value is 1", *p.HTTP2MaxConcurrentStreams)
+	}
+
 	return p.SocketOptions.Validate()
 }
 
diff --git a/pkg/config/parameters_test.go b/pkg/config/parameters_test.go
index c5d1d987aa9..31467990952 100644
--- a/pkg/config/parameters_test.go
+++ b/pkg/config/parameters_test.go
@@ -461,6 +461,13 @@ listener:
   max-requests-per-connection: 1
 `)
 
+	check(func(t *testing.T, conf *Parameters) {
+		assert.Equal(t, ref.To(uint32(10)), conf.Listener.HTTP2MaxConcurrentStreams)
+	}, `
+listener:
+  http2-max-concurrent-streams: 10
+`)
+
 	check(func(t *testing.T, conf *Parameters) {
 		assert.Equal(t, ref.To(uint32(1)), conf.Listener.PerConnectionBufferLimitBytes)
 	}, `
@@ -579,6 +586,14 @@ func TestListenerValidation(t *testing.T) {
 		MaxRequestsPerIOCycle: ref.To(uint32(0)),
 	}
 	require.Error(t, l.Validate())
+	l = &ListenerParameters{
+		HTTP2MaxConcurrentStreams: ref.To(uint32(1)),
+	}
+	require.NoError(t, l.Validate())
+	l = &ListenerParameters{
+		HTTP2MaxConcurrentStreams: ref.To(uint32(0)),
+	}
+	require.Error(t, l.Validate())
 	l = &ListenerParameters{
 		SocketOptions: SocketOptions{
 			TOS:          64,
diff --git a/site/content/docs/main/config/api-reference.html b/site/content/docs/main/config/api-reference.html
index 672010fc223..b988b1ac283 100644
--- a/site/content/docs/main/config/api-reference.html
+++ b/site/content/docs/main/config/api-reference.html
@@ -6801,6 +6801,24 @@ <h3 id="projectcontour.io/v1alpha1.EnvoyListenerConfig">EnvoyListenerConfig
 value when this is not set is no limit.</p>
 </td>
 </tr>
+<tr>
+<td style="white-space:nowrap">
+<code>httpMaxConcurrentStreams</code>
+<br>
+<em>
+uint32
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the
+SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed
+for a peer on a single HTTP/2 connection. It is recommended to not set this lower
+than 100 but this field can be used to bound resource usage by HTTP/2 connections
+and mitigate attacks like CVE-2023-44487. The default value when this is not set is
+unlimited.</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="projectcontour.io/v1alpha1.EnvoyLogging">EnvoyLogging
diff --git a/site/content/docs/main/configuration.md b/site/content/docs/main/configuration.md
index b8dcfe238df..d09df20caaa 100644
--- a/site/content/docs/main/configuration.md
+++ b/site/content/docs/main/configuration.md
@@ -196,6 +196,7 @@ The listener configuration block can be used to configure various parameters for
 | per-connection-buffer-limit-bytes | int    | 1MiB*   | This field specifies the soft limit on size of the listener’s new connection read and write buffer. If not specified, Envoy defaults of 1MiB apply                                                                                                            |
 | socket-options                    | SocketOptions |  | The [Socket Options](#socket-options) for Envoy listeners.                                                                                                                                                                                                    |
 | max-requests-per-io-cycle         | int    | none    | Defines the limit on number of HTTP requests that Envoy will process from a single connection in a single I/O cycle. Requests over this limit are processed in subsequent I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is detected. Configures the `http.max_requests_per_io_cycle` Envoy runtime setting. The default value when this is not set is no limit. |
+| http2-max-concurrent-streams      | int    | none    | Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed for a peer on a single HTTP/2 connection. It is recommended to not set this lower than 100 but this field can be used to bound resource usage by HTTP/2 connections and mitigate attacks like CVE-2023-44487. The default value when this is not set is unlimited. |
 
 _This is Envoy's default setting value and is not explicitly configured by Contour._