Selectively enable GZIP when HTTP referer matches external URL of GitLab host (!1814) · Merge requests · GitLab.org / omnibus-gitlab

Closed Stan Hu requested to merge sh-enable-gzip into master 7 years ago

gzip is disabled for HTTPS for a number of reasons, but Rails has anti-BREACH measures in place for CSRF tokens. In addition, we can mitigate the risk of this attack further by enabling GZIP only when the HTTP referer matches the GitLab origin.

For more details, see:

https://blog.qualys.com/ssllabs/2013/08/07/defending-against-the-breach-attack
https://gitlab.com/gitlab-org/gitlab-ce/issues/33719

Edited 7 years ago by Stan Hu

Activity

Please register or sign in to reply

Selectively enable GZIP when HTTP referer matches external URL of GitLab host

Merge request reports

Activity