Comment 1 for bug 1403283

Revision history for this message
Thomas Ward (teward) wrote :

Additional notes:

Disabling HTTP-level compression by default is not a decent option to solving this. Mitigation is mostly on an application level, then, however there are third-party modules that can be included (in the Universe binaries) which would add length hiding as a potential mitigation method.

A more detailed description on this whole issue can be found here on my blog, describing what BREACH is and possible mitigation methods. It also provides three possible mitigation methods, one which can be done already by default, one which can be done at application levels, and one which can be done with a separate module. is the blog post. (aggregated on