The response compression middleware has response compression over HTTPS turned off by default to avoid the BREACH attack but has a flag to turn it on. The downside is that you lose performance of course. According to this article:
Another suggested approach is to disable HTTP compression whenever the referrer header indicates a cross-site request, or when the header is not present. This approach allows effective mitigation of the attack without losing functionality, only incurring a performance penalty on affected requests.
@blowdart Is this really a viable strategy to enable compression? Can we add this functionality to the response compression middleware?
I don't believe it is, referrers can be faked by a bad actor. The safe approach is to leave it off on dynamic files,, and we're not going to take any of the riskier approaches.
The response compression middleware has response compression over HTTPS turned off by default to avoid the BREACH attack but has a flag to turn it on. The downside is that you lose performance of course. According to this article:
@blowdart Is this really a viable strategy to enable compression? Can we add this functionality to the response compression middleware?