Skip to content

Commit

Permalink
[docs] Add note about the CompressHandler and TLS traffic (#90)
Browse files Browse the repository at this point in the history 
The BEAST and CRIME attacks both let an attacker extract secrets from a page
by making guesses about the page's contents, and then measuring how much the
response compresses. It is probably worthwhile to warn users about the side
effects of compressing responses if they contain secret information.

For more information, see http://security.stackexchange.com/a/102015/12208.
  • Loading branch information
@kevinburke @elithrar
kevinburke authored and elithrar committed Oct 28, 2016
1 parent a577578 commit e1b2144
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions compress.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,9 @@ func (w *compressResponseWriter) Flush() {

// CompressHandler gzip compresses HTTP responses for clients that support it
// via the 'Accept-Encoding' header.
//
// Compressing TLS traffic may leak the page contents to an attacker if the
// page contains user input: http://security.stackexchange.com/a/102015/12208
func CompressHandler(h http.Handler) http.Handler {
return CompressHandlerLevel(h, gzip.DefaultCompression)
}
Expand Down

0 comments on commit e1b2144

Please sign in to comment.