zstd-nginx-module
zstd-nginx-module copied to clipboard
tokers
BREACH concern: 'text/html' is always compressed
By having text/html "always compressed" (as it seems zstd_types is going to do no matter what I put on that command line) you introduce a persistent BREACH risk to your data.
It would be better if you have text/html as the 'default' option for zstd_types, but allow people to override it to exclude text/html MIME types.
By forcing text/html to be compressed all the time, a compressed HTML body containing some secret information could be vulnerable to BREACH. Adjusting the defaults to allow zstd_types to be overridden to exclude text/html would help to mitigate this risk.
(Brotli is also affected by this, as is GZip and other compression modules)
@teward I just want it to be consistent with the ngx_gzip module at that time.
Excerpting from ngx_gzip document:
Enables gzipping of responses for the specified MIME types in addition to “text/html”. The special value “*” matches any MIME type (0.8.29). Responses with the “text/html” type are always compressed.
@teward Your words sounds fair enough. Since there is a potential security issue, we should fix it, this is more important than the "consistence" with other same kind of modules.
Although I don't concern the detail of BREACH attack, I will fix this issue anyway as soon as possible.