2

Google PageSpeed suggests to deliver some static files like e.g. JavaScript, CSS. But as our site is HTTPS only we disabled compression in our web server because of security reasons.

As far as I understood the BREACH attack it is not secure to enable compression in the server. Did I misunderstand something that it is secure to enable compression for static files on the web server? Or is there some way to deliver static files compressed without the risks of BREACH?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Thomas
  • 21
  • 1
  • 1
    My understanding (based on breachattack.com) is that for a particular REQUEST to be vulnerable to BREACH, it has to reflect some user input in the response. This is unlikely to be the case for static css and js, so I believe its not an issue to selectively compress those, so long as any dynamic output remains uncompressed. – carpii Feb 06 '15 at 12:15

0 Answers0