问题描述

我有一个具有相当大构建大小的react应用程序，它已部署在具有SSL的Nginx服务器上.我学到了一些有关GZip的知识，以及它如何改善网站的性能.但是我也知道，将GZip与SSL结合使用并不是安全的.Nginx默认为HTML文件启用GZip.我是否还应该为Javascript和CSS等其他文件启用它，以提高性能?

I have a react app with a pretty large build size, it is deployed on an Nginx server with SSL. I learned a bit about GZip and how it can improve the site's performance. But I also came to know that it is not to safe to use GZip with SSL. GZip is enabled for HTML files by default in Nginx. Should I enable it for other files like Javascript and CSS as well to improve performance ?

推荐答案

您说的

我假设您是在谈论突破攻击.为使成功的压缩响应成功突破违规攻击，需要满足两个条件:

i assume that you are talking about Breach Attack. Well for breach attack to be successful for the compressed response, two conditions need to be satisfied:

1. 在HTTP响应正文中反映用户输入
2. 在HTTP响应正文中反映一个秘密(例如CSRF令牌)

当您发送压缩的js/css文件作为响应时，通常不会在响应中反映用户输入.这意味着调用js/css文件url将仅返回该文件.

When you send compressed js/css files in response, you usually do not reflect user-input in the response. That means calling the js/css file url will only return that file.

此外，您通常不会在响应中返回任何敏感数据以及压缩的js/css文件.

Also you usually do not return any sensitive data in the response along with compressed js/css files.

所以是的，对js/css资产使用Gzip压缩是完全安全的.静态响应不容易受到这种攻击.

So yeah it is completely safe to use Gzip compression for js/css assets. Static responses are not vulnerable to this attack.

这篇关于我是否应该在具有SSL的Nginx服务器上为React应用启用Gzip?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！