BREACH concern: 'text/html' is always compressed
Closed this issue · 3 comments
By having text/html
"always compressed" you introduce a persistent BREACH risk to your data.
It would be better if you have text/html
as the 'default' option for brotli_types
, but allow people to override it to exclude text/html
MIMEtypes.
By forcing text/html
to be compressed all the time, a compressed HTML body containing some secret information could be vulnerable to BREACH. Adjusting the defaults to allow brotli_types
to be overridden to exclude text/html
would help to mitigate this risk.
(NGINX upstream has gzip_types
always compress text/html
which is its own issue, and should probably be overrideable, yet it isn't - this is https://trac.nginx.org/nginx/ticket/1083 to some extent)
Oh, I see - this is because the "types" are merged with ngx_http_html_default_types
... What a strange decision to add a default that is impossible to turn off.
Will fix soon. Thanks.
@eustas Yeah, this has a bug in NGINX Trac to try and unbundle the 'default' type of text/html
from the "Always Compress" list. If we can override that in Brotli then the workaround that was stated there becomes even more secure (but further, we can specify compression types to NOT be text/html if we don't want it to be).
I await a nice fix :)
Moved the issue to the upstream