diff options
| author | Tim Graham <timograham@gmail.com> | 2013-09-11 08:17:15 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2013-09-11 08:18:48 -0400 |
| commit | b05639dcacdd8b2c1dd6db447ce7f20caefc5f54 (patch) | |
| tree | 123c5f8343a256618d3064205b1f9ee8259f3d01 /docs/ref | |
| parent | 4f0ea1aca4fce75de22878839f077fa1c1d9e21a (diff) | |
[1.6.x] Fixed #20887 -- Added a warning to GzipMiddleware in light of BREACH.
Thanks EvilDMP for the report and Russell Keith-Magee
for the draft text.
Backport of da843e7dba from master
Diffstat (limited to 'docs/ref')
| -rw-r--r-- | docs/ref/middleware.txt | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/docs/ref/middleware.txt b/docs/ref/middleware.txt index d011f054ac..7aac286c2d 100644 --- a/docs/ref/middleware.txt +++ b/docs/ref/middleware.txt @@ -79,6 +79,20 @@ GZip middleware .. class:: GZipMiddleware +.. warning:: + + Security researchers recently revealed that when compression techniques + (including ``GZipMiddleware``) are used on a website, the site becomes + exposed to a number of possible attacks. These approaches can be used to + compromise, amongst other things, Django's CSRF protection. Before using + ``GZipMiddleware`` on your site, you should consider very carefully whether + you are subject to these attacks. If you're in *any* doubt about whether + you're affected, you should avoid using ``GZipMiddleware``. For more + details, see the `the BREACH paper (PDF)`_ and `breachattack.com`_. + + .. _the BREACH paper (PDF): http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf + .. _breachattack.com: http://breachattack.com + Compresses content for browsers that understand GZip compression (all modern browsers). |
