Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Browse files

[1.4.x] Fixed #20887 -- Added a warning to GzipMiddleware in light of…


Thanks EvilDMP for the report and Russell Keith-Magee
for the draft text.

Backport of da843e7 from master
  • Loading branch information...
1 parent 434d122 commit cca302cde6b524992d89add9b9f293d86ac8fba0 @timgraham timgraham committed
Showing with 18 additions and 1 deletion.
  1. +14 −0 docs/ref/middleware.txt
  2. +4 −1 docs/topics/cache.txt
14 docs/ref/middleware.txt
@@ -90,6 +90,20 @@ GZip middleware
.. class:: GZipMiddleware
+.. warning::
+ Security researchers recently revealed that when compression techniques
+ (including ``GZipMiddleware``) are used on a website, the site becomes
+ exposed to a number of possible attacks. These approaches can be used to
+ compromise, amongst other things, Django's CSRF protection. Before using
+ ``GZipMiddleware`` on your site, you should consider very carefully whether
+ you are subject to these attacks. If you're in *any* doubt about whether
+ you're affected, you should avoid using ``GZipMiddleware``. For more
+ details, see the `the BREACH paper (PDF)`_ and ``_.
+ .. _the BREACH paper (PDF):,%20gone%20in%2030%20seconds.pdf
+ ..
Compresses content for browsers that understand GZip compression (all modern
5 docs/topics/cache.txt
@@ -1164,7 +1164,10 @@ site's performance:
and ``Last-Modified`` headers.
* :class:`django.middleware.gzip.GZipMiddleware` compresses responses for all
- modern browsers, saving bandwidth and transfer time.
+ modern browsers, saving bandwidth and transfer time. Be warned, however,
+ that compression techniques like ``GZipMiddleware`` are subject to attacks.
+ See the warning in :class:`~django.middleware.gzip.GZipMiddleware` for
+ details.

0 comments on commit cca302c

Please sign in to comment.
Something went wrong with that request. Please try again.