Fixed #20887 -- Added a warning to GzipMiddleware in light of BREACH.

Thanks EvilDMP for the report and Russell Keith-Magee for the draft text.
2025-08-04 19:08:28 +00:00 · 2013-09-11 08:17:15 -04:00 · 2013-09-11 08:17:15 -04:00 · da843e7dba
commit da843e7dba
parent 5eca021d48
2 changed files with 18 additions and 1 deletions
--- a/docs/ref/middleware.txt
+++ b/docs/ref/middleware.txt
@ -79,6 +79,20 @@ GZip middleware

 .. class:: GZipMiddleware

+.. warning::
+
+    Security researchers recently revealed that when compression techniques
+    (including ``GZipMiddleware``) are used on a website, the site becomes
+    exposed to a number of possible attacks. These approaches can be used to
+    compromise, amongst other things, Django's CSRF protection. Before using
+    ``GZipMiddleware`` on your site, you should consider very carefully whether
+    you are subject to these attacks. If you're in *any* doubt about whether
+    you're affected, you should avoid using ``GZipMiddleware``. For more
+    details, see the `the BREACH paper (PDF)`_ and `breachattack.com`_.
+
+    .. _the BREACH paper (PDF): http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf
+    .. _breachattack.com: http://breachattack.com
+
 Compresses content for browsers that understand GZip compression (all modern
 browsers).