Hello! On Wed, Oct 18, 2023 at 04:13:39PM +0000, alienmega via nginx wrote:
> Hello, > I am trying to disable gzip to mitigate the breach attack( I use > a service to check for vulnerabilities and it came up with > that). I added gzip off to nginx.conf file and then check the > configuration with nginx -t, and then reloaded with systemctl > reload nginx. > > When I visit the site, I still have > Accept-Encoding: gzip, deflate, br The "Accept-Encoding" is a _request_ header, sent by your browser. You have to look at the response headers instead, notably Content-Encoding. > I check that I dont have gip on anywhere else on /etc/nginx/* > grep -Ri "gzip off" /etc/nginx As long as you don't have "gzip on" (or "gzip_static", but it is certainly not affected by BREACH) in your nginx configuration, nginx won't use gzip. Note though that if you are using some backend server to return dynamic responses, you might need to disable gzip there as well. Note well that completely disabling gzip might not be the best solution. The BREACH attack only affects response body compression if the resource being returned 1) contains some secret information and 2) it reflects some user input. That is, it certainly does not affect static files, and can be easily avoided by masking secrets in dynamic pages, see https://www.breachattack.com/ for details. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
