summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2013-09-11 08:17:15 -0400
committerTim Graham <timograham@gmail.com>2013-09-11 08:17:15 -0400
commitda843e7dba4ae8ed2846475564bb6ded82960827 (patch)
treee6b960c8f9ef131f7b602474c1101107e0449ea3 /docs/ref
parent5eca021d48cc388d89347d01cb7bfafc9fcfa331 (diff)
Fixed #20887 -- Added a warning to GzipMiddleware in light of BREACH.
Thanks EvilDMP for the report and Russell Keith-Magee for the draft text.
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/middleware.txt14
1 files changed, 14 insertions, 0 deletions
diff --git a/docs/ref/middleware.txt b/docs/ref/middleware.txt
index d011f054ac..7aac286c2d 100644
--- a/docs/ref/middleware.txt
+++ b/docs/ref/middleware.txt
@@ -79,6 +79,20 @@ GZip middleware
.. class:: GZipMiddleware
+.. warning::
+
+ Security researchers recently revealed that when compression techniques
+ (including ``GZipMiddleware``) are used on a website, the site becomes
+ exposed to a number of possible attacks. These approaches can be used to
+ compromise, amongst other things, Django's CSRF protection. Before using
+ ``GZipMiddleware`` on your site, you should consider very carefully whether
+ you are subject to these attacks. If you're in *any* doubt about whether
+ you're affected, you should avoid using ``GZipMiddleware``. For more
+ details, see the `the BREACH paper (PDF)`_ and `breachattack.com`_.
+
+ .. _the BREACH paper (PDF): http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf
+ .. _breachattack.com: http://breachattack.com
+
Compresses content for browsers that understand GZip compression (all modern
browsers).