11-08-2022, 06:44 AM
(This post was last modified: 11-08-2022, 06:54 AM by Alexandre Machado.)
BREACH attack is extremely difficult to happen in practice (it requires several conditions to be met simultaneously). Most sites and applications just ignore this risk.
It can be easily avoided by disabling the HTTP compression, something that we are strongly against because it will just make your application slower for no reason.
Other than that, you can mitigate the risk by using CheckFormId and CheckWindowId (both options from ServerController.SecuirtyOptions). Combined these options prevent all sorts of CSRF attacks, including BREACH attack. I recommend you to start with CheckFormId only (in case CheckWindowId is not set). This option alone should be enough to stop it.
It can be easily avoided by disabling the HTTP compression, something that we are strongly against because it will just make your application slower for no reason.
Other than that, you can mitigate the risk by using CheckFormId and CheckWindowId (both options from ServerController.SecuirtyOptions). Combined these options prevent all sorts of CSRF attacks, including BREACH attack. I recommend you to start with CheckFormId only (in case CheckWindowId is not set). This option alone should be enough to stop it.