I have a Single Page Application (SPA) that consists of static resources (HTML, JS, CSS, images fonts ...) that are served from an Apache web server and several API endpoints (serving JSON from a JBoss Backend, proxied through the same Apache that serves the static resources).
Client browsers have access to the SPA only via HTTPS.
Sensitive data is served exclusively from the API endpoints.
I would like to enable gzip compression for all the static resources. gzip compression will not be enabled on the API endpoints.
Is enabling gzip compression on the static resources a security risk because of the BREACH security exploit?
I do not fully understand the BREACH attack:
- My static resources (which would be compressed) do not reflect any user data
- The API calls do reflect user data and can contain query parameters, but they are not compressed.
Is the above scenario vulnerable to the BREACH attack or not?