Everywhere I look for solutions to mitigate this vulnerability , I find something like:
Just turn off http compression.
Well, this is a pain because compression saves a lot of bandwidth and also speeds up the loading of your web pages. Moreover, what I read about BREACH is that the compressed length can be used by an attacker to read some (potentially secret) information inside a compressed document.
Now, let's say I have some secret information on the loaded pages, which does not mean that there are static resources, such as CSS or JS.
So, is this solution to disable compression for html pages only (dynamic or not) and enable compression for unclassified resources like CSS or safe JS?
source share