Google PageSpeed suggests compression - but my site is https

Asked Feb 06 '15 at 11:05

Active Feb 06 '15 at 11:28

Viewed 391 times

Google PageSpeed suggests to deliver some static files like e.g. JavaScript, CSS. But as our site is HTTPS only we disabled compression in our web server because of security reasons.

As far as I understood the BREACH attack it is not secure to enable compression in the server. Did I misunderstand something that it is secure to enable compression for static files on the web server? Or is there some way to deliver static files compressed without the risks of BREACH?

edited Feb 06 '15 at 11:28

HopelessN00b

53,385
32
133
208

asked Feb 06 '15 at 11:05

Thomas

1

My understanding (based on breachattack.com) is that for a particular REQUEST to be vulnerable to BREACH, it has to reflect some user input in the response. This is unlikely to be the case for static css and js, so I believe its not an issue to selectively compress those, so long as any dynamic output remains uncompressed. – carpii Feb 06 '15 at 12:15

Google PageSpeed suggests compression - but my site is https

0 Answers0