response compression

[reubenelder]

Hi,

Unless I'm missing something I don't think there is any response compression in the FHIR server. Are there plans to support this?

Thanks, Reuben

[brendankowitz]

There are security considerations to review when enabling both SSL + Compression.

Compressed responses over secure connections can be controlled with the EnableForHttps option, which is disabled by default because of the security risk. Using compression with dynamically generated pages can expose the app to CRIME and BREACH attacks.

from: https://learn.microsoft.com/en-us/aspnet/core/performance/response-compression?view=aspnetcore-8.0#compression-with-https

[reubenelder]

thanks Brendan, I've read those pages before and if I'm interpreting them correctly the issue is around dynamically generated pages, not API calls. Obviously, I don't won't to encourage something that decreases security but if it was secure it could increase performance for some of our larger queries. Any chance it will be considered or is it too risky?

[EXPEkesheth]

Thanks for asking the question @reubenelder . We do not plan to invest in response compression unfortunately in near term. Closing the issue.