Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable nginx gzip #156

Merged
merged 1 commit into from
Feb 27, 2025
Merged

Disable nginx gzip #156

merged 1 commit into from
Feb 27, 2025
+2 −0

Conversation

Joe-Heffer-Shef
Copy link
Collaborator

@Joe-Heffer-Shef Joe-Heffer-Shef commented Feb 24, 2025
edited
Loading

See issue #152 for the motivation for proposing this change.

Changes:

  • Disable compressed responses in nginx

@Joe-Heffer-Shef Joe-Heffer-Shef linked an issue Feb 24, 2025 that may be closed by this pull request
CVE-2013-3587 BREACH vulnerability #152
Open
@Joe-Heffer-Shef Joe-Heffer-Shef self-assigned this Feb 24, 2025
@Joe-Heffer-Shef Joe-Heffer-Shef changed the base branch from main to dev February 24, 2025 14:40
@Joe-Heffer-Shef
Copy link
Collaborator Author

It works on dev:

$ curl  -H "Accept-Encoding: gzip" --head --insecure https://sort-web-dev.shef.ac.uk/login/
HTTP/1.1 200 OK
Server: nginx/1.24.0 (Ubuntu)
Date: Mon, 24 Feb 2025 15:26:33 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 2514
Connection: keep-alive
Expires: Mon, 24 Feb 2025 15:26:32 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
Vary: Cookie
X-Frame-Options: DENY
Set-Cookie: csrftoken=Jf5QWfCBgq6z0JLqUtu66UE1DZR8cdI0; expires=Mon, 23 Feb 2026 15:26:33 GMT; Max-Age=31449600; Path=/; SameSite=Lax; Secure

no "Content-Encoding: gzip" header

@Joe-Heffer-Shef Joe-Heffer-Shef mentioned this pull request Feb 24, 2025
Open
twinkarma
twinkarma approved these changes Feb 27, 2025
View reviewed changes
Copy link
Contributor

@twinkarma twinkarma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Joe-Heffer-Shef Joe-Heffer-Shef merged commit d0e53ed into dev Feb 27, 2025
@Joe-Heffer-Shef Joe-Heffer-Shef deleted the chore/disable-gzip branch February 27, 2025 15:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@twinkarma twinkarma twinkarma approved these changes

@f-allian f-allian Awaiting requested review from f-allian

Assignees

@Joe-Heffer-Shef Joe-Heffer-Shef

Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CVE-2013-3587 BREACH vulnerability
2 participants
@Joe-Heffer-Shef @twinkarma