search

aspnet / BasicMiddleware

[Archived] Basic middleware components for ASP.NET Core. Project moved to https://github.com/aspnet/AspNetCore
Apache License 2.0
169 stars 84 forks source link

Turn on Compression based on Referrer to avoid BREACH #325

Closed RehanSaeed closed 6 years ago

RehanSaeed commented 6 years ago

The response compression middleware has response compression over HTTPS turned off by default to avoid the BREACH attack but has a flag to turn it on. The downside is that you lose performance of course. According to this article:

Another suggested approach is to disable HTTP compression whenever the referrer header indicates a cross-site request, or when the header is not present. This approach allows effective mitigation of the attack without losing functionality, only incurring a performance penalty on affected requests.

@blowdart Is this really a viable strategy to enable compression? Can we add this functionality to the response compression middleware?

blowdart commented 6 years ago

I don't believe it is, referrers can be faked by a bad actor. The safe approach is to leave it off on dynamic files,, and we're not going to take any of the riskier approaches.