Fixed #20887 -- Added a warning to GzipMiddleware in light of BREACH. (da843e7d) · Commits · Dom Sekotill / django

docs/ref/middleware.txt

+14 −0

Original line number	Diff line number	Diff line
		@@ -79,6 +79,20 @@ GZip middleware

		.. class:: GZipMiddleware

		.. warning::

		Security researchers recently revealed that when compression techniques
		(including ``GZipMiddleware``) are used on a website, the site becomes
		exposed to a number of possible attacks. These approaches can be used to
		compromise, amongst other things, Django's CSRF protection. Before using
		``GZipMiddleware`` on your site, you should consider very carefully whether
		you are subject to these attacks. If you're in any doubt about whether
		you're affected, you should avoid using ``GZipMiddleware``. For more
		details, see the `the BREACH paper (PDF)`_ and `breachattack.com`_.

		.. _the BREACH paper (PDF): http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf
		.. _breachattack.com: http://breachattack.com

		Compresses content for browsers that understand GZip compression (all modern
		browsers).

+4 −1

Original line number	Diff line number	Diff line
		@@ -1173,7 +1173,10 @@ site's performance:
		and ``Last-Modified`` headers.

		* :class:`django.middleware.gzip.GZipMiddleware` compresses responses for all
		modern browsers, saving bandwidth and transfer time.
		modern browsers, saving bandwidth and transfer time. Be warned, however,
		that compression techniques like ``GZipMiddleware`` are subject to attacks.
		See the warning in :class:`~django.middleware.gzip.GZipMiddleware` for
		details.

		Order of MIDDLEWARE_CLASSES
		===========================