Everywhere I look for solutions to mitigate this vulnerability, I find something like:

Just disable http compression.

Well, that's a pain, because compression save a lot of bandwidth and also make your webpages load really faster. Moreover, what I read about BREACH, is that compression length can be used by an attacker to read some (potentially secret) information inside the compressed document.

Now, let's admit I do have some secret information in pages I load, that doesn't mean static resources like CSS or JS have too.

So, is it a solution to disable compression only for html pages (dynamic or not) and enable compression for non-secret resources like CSS or safe JS?

1 Answer 1


Here are a few potential solutions I found here

CSRF Token Defence

HTTP Chunked Encoding Mitigation

Referer Check Mitigation


Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged or ask your own question.