Selectively enable GZIP when HTTP referer matches external URL of GitLab host (!1814) · Merge requests · GitLab.org / omnibus-gitlab

gzip is disabled for HTTPS for a number of reasons, but Rails has anti-BREACH measures in place for CSRF tokens. In addition, we can mitigate the risk of this attack further by enabling GZIP only when the HTTP referer matches the GitLab origin.

For more details, see:

https://blog.qualys.com/ssllabs/2013/08/07/defending-against-the-breach-attack
https://gitlab.com/gitlab-org/gitlab-ce/issues/33719

Edited Aug 24, 2017 by Stan Hu

Selectively enable GZIP when HTTP referer matches external URL of GitLab host

Merge request reports