From 5e408aad2bcdfd7267dcf2ded36623482a81e5d6 Mon Sep 17 00:00:00 2001
From: maxlath <k@maxlath.eu>
Date: Thu, 27 Feb 2025 18:17:33 +0100
Subject: [PATCH] nginx: disable compression to mitigate BREACH exploit

---
 nginx/templates/default.conf.template | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/nginx/templates/default.conf.template b/nginx/templates/default.conf.template
index e935b19..7e247b7 100755
--- a/nginx/templates/default.conf.template
+++ b/nginx/templates/default.conf.template
@@ -39,12 +39,11 @@ server {
 
     client_max_body_size 25M;
 
-    # As long as no secret/sensible data are passed in the body, the BREACH exploit on TLS+compression shouldn't be a concern. Right?
+    # Disabling compression to mitigate BREACH exploit
     # https://en.wikipedia.org/wiki/BREACH_(security_exploit)#Mitigation
     # http://security.stackexchange.com/questions/39925/breach-a-new-attack-against-http-what-can-be-done
-    # It could be that it was solved by HTTP/2 \o/ https://blog.cloudflare.com/hpack-the-silent-killer-feature-of-http-2
-    gzip on;
-    gzip_types *;
+    # until we can confidently say that HTTP/2 solves the issue? https://blog.cloudflare.com/hpack-the-silent-killer-feature-of-http-2
+    gzip off;
 
     # On-The-Fly Image Resizer