Given that the attack vector for CRIME and BREACH is (specifically) compressed content under HTTP/2, wouldn’t use of gzip with Caddy present a security risk? (I’m not going to argue the merits of performance vs. safety, just asking the obvious question about security stance.)
- user data (POST or GET parameters)
- a secret
If your web application serves user data or a secret, then you should disable gzip for any web server that’s serving it. Or separate the user data and the secret. Or randomize the secrets for each request. There are server-level mitigations or application-level mitigations. You choose which is best for you.
In 2012, only 7% of browsers supported TLS compression, and surely that number is even lower today, 4 years later. Go doesn’t support TLS compression.
Fair points, thank you very much for the clarification!