Selectively enable GZIP when HTTP referer matches external URL of GitLab host (!1814) · Merge requests · GitLab.org / omnibus-gitlab

Stan Hu requested to merge sh-enable-gzip into master Aug 01, 2017

gzip is disabled for HTTPS for a number of reasons, but Rails has anti-BREACH measures in place for CSRF tokens. In addition, we can mitigate the risk of this attack further by enabling GZIP only when the HTTP referer matches the GitLab origin.

For more details, see:

https://blog.qualys.com/ssllabs/2013/08/07/defending-against-the-breach-attack
https://gitlab.com/gitlab-org/gitlab-ce/issues/33719

Edited Aug 24, 2017 by Stan Hu

Admin message

Admin message

Selectively enable GZIP when HTTP referer matches external URL of GitLab host

Merge request reports