BREACH attack: Disable compression for cross-origin requests

This tutorial is related to the BREACH vulnerability described in https://techzone.ergon.ch/breach and provides a fix for the vulnerability. Consider this solution if response compression is mandatory. If disabling response compression is an option we recommend rather to do that for simplicity.

The described steps in this tutorial will globally deactivate the compression on certain types of HTTP requests. The decision for the compression is based on the HTTP referer header. The fix assumes that the BREACH attacker is not able to forge this header (if he can do so he may anyway have the capability to read content from the target page). Since compression depends on the referer header the following HTTP responses will no longer be compressed:

• First page accessed by the client (landing page)
• Pages called from bookmarks or typed-in URLs
• Refreshed pages
• Pages requested by special HTTP clients not sending a referer header
• Any resource like images, JavaScript, CSS sourced by a foreign domain (e.g. a different domain on Airlock Gateway)

Example: Domain appA.com sources the JavaScript file appB.js from www.appB.com with the following HTML tag:

In this case the file appB.js will be delivered uncompressed.

Note that compression test tools like https://checkgzipcompression.net/ do not send HTTP referer headers for their tests and will therefore report that Airlock WAF does not compress responses. To verify compression we recommend to check that the reponse header "Content-Encoding: gzip" exists using a common web browser like Chrome or Firefox (use Developer Toolbar).

Configuration steps on Airlock WAF 7.x and newer

Airlock WAF 7.0 and later protects from BREACH attacks by default, by implementing the mitigation described in this article. To deactivate the mitigation and enabling compression for all responses, the following Apache Expert setting must be set on the mapping where compression is activated: